Play interactive tour

Edit tour

Windows Analysis Report https://archive.org/download/MCOPY/MCOPY.tar

Overview

General Information

Sample URL:	https://archive.org/download/MCOPY/MCOPY.tar
Analysis ID:	447280
Infos:
Most interesting Screenshot:

Detection

MailPassView

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected MailPassView

Machine Learning detection for dropped file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected WebBrowserPassView password recovery tool

Antivirus or Machine Learning detection for unpacked file

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Potential browser exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

iexplore.exe (PID: 2332 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 1808 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2332 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

unarchiver.exe (PID: 4448 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar' MD5: DB55139D9DD29F24AE8EA8F0E5606901)

7za.exe (PID: 4600 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 4232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5776 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RJCGQP.exe (PID: 1488 cmdline: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe MD5: AD4B4A3179D923A637CEB9AC2E1CB00A)

cmd.exe (PID: 5504 cmdline: C:\Windows\system32\cmd.exe /c A.exe /stext A.txt MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

A.exe (PID: 5804 cmdline: A.exe /stext A.txt MD5: 8104093918B6F2D2004535B24B1533BA)

cmd.exe (PID: 4560 cmdline: C:\Windows\system32\cmd.exe /c B.exe /stext B.txt MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

B.exe (PID: 2396 cmdline: B.exe /stext B.txt MD5: 62B2864C32CB33F57A65F47269D91BE4)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: A.exe PID: 5804	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: B.exe PID: 2396	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.B.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.A.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe

Avira: detection malicious, Label: DR/AutoIt.Gen8

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\A.exe	Metadefender: Detection: 32%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\A.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\B.exe	Metadefender: Detection: 28%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\B.exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	ReversingLabs: Detection: 47%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\A.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B.exe	Joe Sandbox ML: detected

Source: 12.0.RJCGQP.exe.1330000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 12.2.RJCGQP.exe.1330000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 12.3.RJCGQP.exe.463ff90.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Users\user\AppData\Local\Temp\A.exe

Code function: 15_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,

15_2_00404423

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.241.228.150:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.241.228.150:443 -> 192.168.2.3:49727 version: TLS 1.2

Source:	Binary string: -T'.pdbB source: RJCGQP.exe, 0000000C.00000003.304592497.0000000004611000.00000004.00000001.sdmp, B.exe.12.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: A.exe
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: B.exe

Source: C:\Users\user\AppData\Local\Temp\A.exe	Code function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,		15_2_0040AE51
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,		24_2_00407C87

Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 0536099Bh		7_2_053602A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 0536099Ah		7_2_053602A8

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\SysWOW64\unarchiver.exe

Source: A.exe, 0000000F.00000003.288196887.0000000000B0B000.00000004.00000040.sdmp	String found in binary or memory: /MCOPY/MCOPY.tarhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: A.exe, 0000000F.00000003.288196887.0000000000B0B000.00000004.00000040.sdmp	String found in binary or memory: /MCOPY/MCOPY.tarhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: A.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: A.exe, 0000000F.00000003.288143825.0000000000B0A000.00000004.00000040.sdmp	String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://ia801500.us.archive.org/0/items/MCOPY/MCOPY.tarhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: A.exe, 0000000F.00000003.288143825.0000000000B0A000.00000004.00000040.sdmp	String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://ia801500.us.archive.org/0/items/MCOPY/MCOPY.tarhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: A.exe, 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: A.exe, 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: archive.org

Source: A.exe, 0000000F.00000002.288412108.0000000000193000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: A.exe, B.exe, B.exe, 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: RJCGQP.exe, 0000000C.00000002.328333475.0000000001185000.00000004.00000001.sdmp	String found in binary or memory: https://cookforme.ch/routes/networks/
Source: A.exe, 0000000F.00000003.287476980.00000000022D1000.00000004.00000001.sdmp	String found in binary or memory: https://helpx.adobe.c
Source: A.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: A.exe, 0000000F.00000002.289487853.00000000022EA000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: A.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.241.228.150:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.241.228.150:443 -> 192.168.2.3:49727 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\B.exe

Code function: 24_2_0040C084 OpenClipboard,

24_2_0040C084

Source: unarchiver.exe, 00000007.00000002.330804685.000000000128B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Local\Temp\A.exe	Code function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	15_2_0040DD85
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_004016FC NtdllDefWindowProc_A,	24_2_004016FC
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_004017B6 NtdllDefWindowProc_A,	24_2_004017B6

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 7_2_053602A8	7_2_053602A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 7_2_05360299	7_2_05360299
Source: C:\Users\user\AppData\Local\Temp\A.exe	Code function: 15_2_0044B040	15_2_0044B040
Source: C:\Users\user\AppData\Local\Temp\A.exe	Code function: 15_2_0043610D	15_2_0043610D
Source: C:\Users\user\AppData\Local\Temp\A.exe	Code function: 15_2_00447310	15_2_00447310
Source: C:\Users\user\AppData\Local\Temp\A.exe	Code function: 15_2_0044A490	15_2_0044A490
Source: C:\Users\user\AppData\Local\Temp\A.exe	Code function: 15_2_0040755A	15_2_0040755A
Source: C:\Users\user\AppData\Local\Temp\A.exe	Code function: 15_2_0043C560	15_2_0043C560
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_0040D044	24_2_0040D044
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_00405038	24_2_00405038
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_004050A9	24_2_004050A9
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_0040511A	24_2_0040511A
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_004051AB	24_2_004051AB
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_004382F3	24_2_004382F3
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_00430575	24_2_00430575
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_0043B671	24_2_0043B671
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_0041F6CD	24_2_0041F6CD
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_004119CF	24_2_004119CF
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_00439B11	24_2_00439B11
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_00438E54	24_2_00438E54
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_00412F67	24_2_00412F67
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_0043CF18	24_2_0043CF18

Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: String function: 00412968 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: String function: 0044407A appears 37 times
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: String function: 00421A32 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\A.exe	Code function: String function: 004169A7 appears 37 times

Source: A.exe.12.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: A.exe.12.dr	Static PE information: Resource name: RT_STRING type: PDP-11 overlaid separate executable not stripped

Source: RJCGQP.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RJCGQP.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: B.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: A.exe.12.dr	Static PE information: Section: UPX1 ZLIB complexity 0.992298054245
Source: B.exe.12.dr	Static PE information: Section: UPX1 ZLIB complexity 0.990766088275

Source: classification engine

Classification label: mal88.phis.troj.spyw.win@23/15@2/3

Source: C:\Users\user\AppData\Local\Temp\A.exe

Code function: 15_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

15_2_004182CE

Source: C:\Users\user\AppData\Local\Temp\A.exe

Code function: 15_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,

15_2_00418758

Source: C:\Users\user\AppData\Local\Temp\A.exe

Code function: 15_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,

15_2_00413D4C

Source: C:\Users\user\AppData\Local\Temp\A.exe

Code function: 15_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

15_2_0040B58D

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4232:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF10E708BDA7DE05C8.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: A.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: A.exe, B.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: A.exe, 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: A.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: A.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: A.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: A.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2332 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar'
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c A.exe /stext A.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\A.exe A.exe /stext A.txt
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c B.exe /stext B.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\B.exe B.exe /stext B.txt
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2332 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar'	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar'	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c A.exe /stext A.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c B.exe /stext B.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\A.exe A.exe /stext A.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\B.exe B.exe /stext B.txt	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A.exe

File opened: C:\Users\user\AppData\Local\Temp\A.cfg

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\B.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: -T'.pdbB source: RJCGQP.exe, 0000000C.00000003.304592497.0000000004611000.00000004.00000001.sdmp, B.exe.12.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: A.exe
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: B.exe

Source: C:\Users\user\AppData\Local\Temp\A.exe

Code function: 15_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,7078DB20,MessageBoxW,

15_2_004044A4

Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_00444355 push ecx; ret	24_2_00444365
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_004446D0 push eax; ret	24_2_004446E4
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_004446D0 push eax; ret	24_2_0044470C
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_0044AC84 push eax; ret	24_2_0044AC91

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File created: C:\Users\user\AppData\Local\Temp\B.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File created: C:\Users\user\AppData\Local\Temp\A.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\B.exe

Code function: 24_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

24_2_004047C6

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A.exe

Code function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

15_2_0040DD85

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe

Window / User API: threadDelayed 703

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\B.exe

API coverage: 9.6 %

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5632	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe TID: 580	Thread sleep count: 703 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\A.exe	Code function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,		15_2_0040AE51
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: 24_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,		24_2_00407C87

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 7_2_014AB042 GetSystemInfo,

7_2_014AB042

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\B.exe

API call chain: ExitProcess graph end node

graph_24-33804

Source: C:\Users\user\AppData\Local\Temp\A.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A.exe

15_2_0040DD85

Source: C:\Users\user\AppData\Local\Temp\A.exe

Code function: 15_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,7078DB20,MessageBoxW,

15_2_004044A4

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar'	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\A.exe A.exe /stext A.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\B.exe B.exe /stext B.txt	Jump to behavior

Source: RJCGQP.exe, 0000000C.00000000.276472877.00000000013DE000.00000002.00020000.sdmp, MCOPY.tar.nla9uw7.partial.3.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\B.exe

Code function: 24_2_00408043 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

24_2_00408043

Source: C:\Users\user\AppData\Local\Temp\A.exe

Code function: 15_2_0041739B GetVersionExW,

15_2_0041739B

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected MailPassView

Show sources

Source: Yara match	File source: 24.2.B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B.exe PID: 2396, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\A.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Users\user\AppData\Local\Temp\B.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Local\Temp\B.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: ESMTPPassword	24_2_004033E2
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	24_2_00402DA5
Source: C:\Users\user\AppData\Local\Temp\B.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	24_2_00402DA5

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: 15.2.A.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A.exe PID: 5804, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Disable or Modify Tools1	OS Credential Dumping1	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel22	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Process Injection12	Deobfuscate/Decode Files or Information1	Input Capture1	File and Directory Discovery3	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information31	Credentials in Registry2	System Information Discovery17	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing21	Credentials In Files1	Security Software Discovery11	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion21	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Process Discovery4	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection12	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://archive.org/download/MCOPY/MCOPY.tar	0%	Virustotal		Browse
https://archive.org/download/MCOPY/MCOPY.tar	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	100%	Avira	DR/AutoIt.Gen8
C:\Users\user\AppData\Local\Temp\A.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\B.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\A.exe	32%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\A.exe	79%	ReversingLabs	Win32.Infostealer.WebBrowserPassView
C:\Users\user\AppData\Local\Temp\B.exe	29%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\B.exe	72%	ReversingLabs	Win32.Hacktool.PasswordRevealer
C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe	48%	ReversingLabs	Win32.Trojan.Nymeria

Unpacked PE Files

Source	Detection	Scanner	Label	Download
15.2.A.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137731	Download File
12.0.RJCGQP.exe.1330000.0.unpack	100%	Avira	DR/AutoIt.Gen8	Download File
12.2.RJCGQP.exe.1330000.0.unpack	100%	Avira	DR/AutoIt.Gen8	Download File
12.3.RJCGQP.exe.463ff90.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://helpx.adobe.c	0%	Avira URL Cloud	safe
https://cookforme.ch/routes/networks/	0%	Avira URL Cloud	safe
0	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
archive.org	207.241.224.2	true	false		high
ia801500.us.archive.org	207.241.228.150	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0	true	1%, Virustotal, Browse	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://helpx.adobe.c	A.exe, 0000000F.00000003.287476980.00000000022D1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cookforme.ch/routes/networks/	RJCGQP.exe, 0000000C.00000002.328333475.0000000001185000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://login.yahoo.com/config/login	A.exe	false		high
http://www.nirsoft.net	A.exe, 0000000F.00000002.288412108.0000000000193000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net/	A.exe, B.exe, B.exe, 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
207.241.224.2	archive.org	United States		7941	INTERNET-ARCHIVEUS	false
207.241.228.150	ia801500.us.archive.org	United States		7941	INTERNET-ARCHIVEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	447280
Start date:	12.07.2021
Start time:	15:19:43
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://archive.org/download/MCOPY/MCOPY.tar
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.phis.troj.spyw.win@23/15@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 80% Number of executed functions: 153 Number of non-executed functions: 213
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 2.18.105.186, 95.100.54.203, 20.50.102.62, 152.199.19.161, 205.185.216.10, 205.185.216.42, 20.54.7.98, 51.103.5.159, 40.112.88.60, 20.54.104.15, 23.10.249.43, 23.10.249.26, 20.82.210.154 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, wns.notify.trafficmanager.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log Download File
Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.2529463157768355
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk7v:MLF20NaL329hJ5g522r0
MD5:	FF3B761A021930205BEC9D7664AE9258
SHA1:	1039D595C6333358D5F7EE5619FE6794E6F5FDB1
SHA-256:	A3517BC4B1E6470905F9A38466318B302186496E8706F1976F1ED76F3E87AF0F
SHA-512:	1E77D09CF965575EF9800B1EE8947A02D98F88DBFA267300330860757A0C7350AF857A2CB7001C49AFF1F5BD1E0AE6E90F643B27054522CADC730DD14BC3DE11
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{61F999F3-E35F-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	32344
Entropy (8bit):	1.8001851111035176
Encrypted:	false
SSDEEP:	96:rrZYZM2BWBstBxhfBMdskMBGk0BkauDXvV850G2:rrZYZM2BWOtBf+VMECdW2
MD5:	CC43B5C80A314DD3CBC4683923164859
SHA1:	24D20AB9FB645B3A03442495692C9278445E8556
SHA-256:	D13A6EA653547714A72D7CD11FECACE9E59BA620ADD737A7E5621137777543A1
SHA-512:	6471C575EBA2E0EABA999AFDE225E07943D9DE74FB1A9332378CCBCDF1955C16ADAD85EA170FD8B4501A57F4FBE367F0B9C94E8ACB873A6DF62BC503C807CDFB
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{61F999F5-E35F-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.597397819681854
Encrypted:	false
SSDEEP:	48:IwSGcprDGwpaTG4pQXGrapbS5hGQpBeGHHpcwiTGUpQRkGcpm:rmZdQl6rBS5bjt2wS6ug
MD5:	ABEB230E216B51F51A1B92E10881FA3E
SHA1:	E0E882F404209031875ECC7BDCC9D5AA8F08A927
SHA-256:	B7096652605B7B7595A9BDE9D3FC0BDC01791A878C30213F1B1F9CB09F2AC426
SHA-512:	88C9F1A4F9E88344D720032741A2CA0AF7372F4C0A9D6210087F1CA0C91A20F3453D7F3AF0DF62C23CE3D531EE8DD3FB435A196F489B98D5AA8FA0296BE8E7E5
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar.nla9uw7.partial Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	POSIX tar archive
Category:	dropped
Size (bytes):	1574912
Entropy (8bit):	7.4319546272021375
Encrypted:	false
SSDEEP:	24576:T4lavt0LkLL9IMixoEgeaNNfoXlgiYguPWIkygIJUEyIuModZ9seq9MmCS:mkwkn9IMHeaNKWVW4gIJoIuftPaPCS
MD5:	CB0EBABD8FECB4747629D5EEFBB932C7
SHA1:	FF2455D5C4C3223852D1037A0C0E397A93A0D734
SHA-256:	9073F4498C23D0277C8B251F68269490502236821CF43CAD421820E4768294A5
SHA-512:	DD91C087B480A45B2DF4706522556F5A301534F50B8E80E2274BE93546497687C505A5382EC01DB1E5EBEF536E3A071AD66CFEC5354B8EA0AC0CDA685705D042
Malicious:	false
Reputation:	low
Preview:	RJCGQP.exe..........................................................................................0100777.0000000.0000000.00006001000.14072607645.007515. 0....................................................................................................ustar.00.......................................................................................................................................................................................................................................................MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L......`.........."..........>.......k............@..........................`......q.....@...@.......@.....................lk..\|....@...l...................... l..................................p'..@...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar.nla9uw7.partial:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low
Preview:	3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\MCOPY[1].tar Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	POSIX tar archive
Category:	dropped
Size (bytes):	1574912
Entropy (8bit):	7.4319546272021375
Encrypted:	false
SSDEEP:	24576:T4lavt0LkLL9IMixoEgeaNNfoXlgiYguPWIkygIJUEyIuModZ9seq9MmCS:mkwkn9IMHeaNKWVW4gIJoIuftPaPCS
MD5:	CB0EBABD8FECB4747629D5EEFBB932C7
SHA1:	FF2455D5C4C3223852D1037A0C0E397A93A0D734
SHA-256:	9073F4498C23D0277C8B251F68269490502236821CF43CAD421820E4768294A5
SHA-512:	DD91C087B480A45B2DF4706522556F5A301534F50B8E80E2274BE93546497687C505A5382EC01DB1E5EBEF536E3A071AD66CFEC5354B8EA0AC0CDA685705D042
Malicious:	false
Reputation:	low
Preview:	RJCGQP.exe..........................................................................................0100777.0000000.0000000.00006001000.14072607645.007515. 0....................................................................................................ustar.00.......................................................................................................................................................................................................................................................MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L......`.........."..........>.......k............@..........................`......q.....@...@.......@.....................lk..\|....@...l...................... l..................................p'..@...........

C:\Users\user\AppData\Local\Temp\A.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	227840
Entropy (8bit):	7.872725621072058
Encrypted:	false
SSDEEP:	6144:O1vaKFbcprS5qlrCkxLjgmOA05HTr7N1DPz:SaKFbcVS5FUOAe7r
MD5:	8104093918B6F2D2004535B24B1533BA
SHA1:	F9CF4AE46A44AB7A39F35614167B2BE9F1D66460
SHA-256:	337A646E6F1A641D9471B840EE21BFF858E6BA24538A4F815191BE85E5003E70
SHA-512:	D43DC6E765A528755D1004B591D580C8D3E5A49800980DAB1073848F26C67C0350FE560762B46A3602E799EA8EE861BCC4F829020D5479E48C8ED6871FD139A1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L..-...-...-..4"...-..4"...-.......-..-....-...-...,.......-.......-.......-.......-..Rich.-..........PE..L......^.................P...0......@.............@.......................... ...........................................................!..........................................................................................................UPX0....................................UPX1.....P.......P..................@....rsrc....0.......&...T..............@......................................................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\AppData\Local\Temp\A.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\A.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	low
Preview:	..

C:\Users\user\AppData\Local\Temp\B.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	195584
Entropy (8bit):	7.874455805483223
Encrypted:	false
SSDEEP:	3072:FZ8A9WsPZ/aP7OvH4l0917a9LKzWVKOguV39I1wsYNY0Zytg8r+M1/H2h:FZ8A9WsPZCD2H4g00OKqV39I1wsMY0ZI
MD5:	62B2864C32CB33F57A65F47269D91BE4
SHA1:	D072FF4E71B3F53E3D198067A61BCDD835CA0D92
SHA-256:	40257944035022D81474E714C256585977F8A89D8F960FA040A64567DE67194A
SHA-512:	4A49E253F79F956C99F1A9A475BE40F0F419427304D94BDA821435F0DD172C09B477EAAF261F4466D7D8C54195217B675F4F78EC3A42F775336EC54CAA98BCC1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 72%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G=...\..\..\..S...\......\.....\..\.A].....\.$...*\.$....\.$....\.Rich.\.........PE..L....;.]..................... .......r............@............................................................................p...................................................................................................................UPX0....................................UPX1................................@....rsrc.... ..........................@..............................................................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.33592749825611
Encrypted:	false
SSDEEP:	3:oVXU7UB8h98JOGXnE7UB8Mj+n:o9U7Ui3qE7UiD
MD5:	1552C63AA2F228A9CF3685379657736C
SHA1:	D3DCA349E7CCEFA2BDBE76FDFF3C245DBBE16D33
SHA-256:	1547C4FAECF793C0F93BB0EC00BB2C193D186BF9A1EC7EB2D46D9B7BF44F5FA5
SHA-512:	34CD17F314D90B4C2AD9D1FF27D8CFA5A40AF93FF46B672C3FAA7C64F8CC663D9CC8C0B22CA1BC75B4A9CC761BCEDFD87E0F80667C22D312A28EE396B1D206A2
Malicious:	false
Reputation:	low
Preview:	[2021/07/12 15:20:39.251] Latest deploy version: ..[2021/07/12 15:20:39.251] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe Download File
Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1573376
Entropy (8bit):	7.4358659988087075
Encrypted:	false
SSDEEP:	24576:G4lavt0LkLL9IMixoEgeaNNfoXlgiYguPWIkygIJUEyIuModZ9seq9MmCS:Rkwkn9IMHeaNKWVW4gIJoIuftPaPCS
MD5:	AD4B4A3179D923A637CEB9AC2E1CB00A
SHA1:	077236612B707790616928108DE141EE3F360B47
SHA-256:	F9AE72D6C093948A21E116AF6E304B8CBE41D043AEFF6C16B068EA375C0D8C2C
SHA-512:	A2E99053B76E20DC6D1CFEA95771A645B861BCA82B6098F6569A98F7E6A095B91FC29F48D8DB8EA659AE6A9312C73013B9DB6DA215E826DC79159865FF98C476
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 48%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L......`.........."..........>.......k............@..........................`......q.....@...@.......@.....................lk..\|....@...l...................... l..................................p'..@...............X............................text...t........................... ..`.rdata..j...........................@..@.data...4........b..................@....rsrc....l...@...n..................@..@.reloc..b............\..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mdmjdc2j.33g\unarchiver.log Download File
Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1696
Entropy (8bit):	5.203135429150786
Encrypted:	false
SSDEEP:	48:+EDwJGJGbJGJGpLGEgEGJGpCD9GbnGRD9GxG7TlG6GKGJGEGJGgFGX23vJ:+cV7OCLJ9R
MD5:	C75092579A84BBBE49949D51C2BFB282
SHA1:	BB72F6B0F65FC1473FCDD56F12D84CA5C4A7E523
SHA-256:	39EFBFE6AE9F5122C490EEE66C41CD8D59B3ED3B91B346AAF2AF6567F6279419
SHA-512:	58919F638EFA4F4AF6E10A33075EF121CF25E370446C05B04F77C8CEDA963020694333ED408CADCE89528E1715D7DDEF847EE64FD6FC09259B2DCCAF1375861F
Malicious:	false
Reputation:	low
Preview:	07/12/2021 3:21 PM: Unpack: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar..07/12/2021 3:21 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x..07/12/2021 3:21 PM: Received from standard out: ..07/12/2021 3:21 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..07/12/2021 3:21 PM: Received from standard out: ..07/12/2021 3:21 PM: Received from standard out: Scanning the drive for archives:..07/12/2021 3:21 PM: Received from standard out: 1 file, 1574912 bytes (1538 KiB)..07/12/2021 3:21 PM: Received from standard out: ..07/12/2021 3:21 PM: Received from standard out: Extracting archive: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar..07/12/2021 3:21 PM: Received from standard out: --..07/12/2021 3:21 PM: Received from standard out: Path = C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar..07/12/2021 3:21 PM: Received from standard out:

C:\Users\user\AppData\Local\Temp\~DF10E708BDA7DE05C8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12981
Entropy (8bit):	0.4455445324961655
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lowF9lo49lWh5A/6:kBqoID1h5Ai
MD5:	1DA4A699830C663C89FDBEB8CB0B1F41
SHA1:	EDFEDE7E8075297688AF9E960A5A12E0345D2804
SHA-256:	C75FDEDECD45E52A0CD0C3AF0DC7559643511A575B0CE24916D288B0ADEB9138
SHA-512:	83609FA2BD4BC9B698E7DEAF6C0A5108E896444C532AC286871397A782DE139A198A053C41EB38082FE1FEBD5B0776D4041A690E38D97EA3D56FA3D66325D8CB
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD1669ABBB8624462.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.32932911639885465
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwNF9lwgi9l2R/9l2J9p:kBqoxKAuvScS+w2R+gRy
MD5:	F7561CA4A7DB7B480ACF2BFC1C61B9D9
SHA1:	4F49A7D12C6A8FF1A668FBED136E5F3569AA6373
SHA-256:	D543E7B733E806D0EE84F64B15168A30DF46132E20B2BD149252A1A1DF84B72A
SHA-512:	B38E08C5FCF52C4EC379D4AA169818E14DB10F771866FBDE4213EE196A933EF24A30E7561F8A9AC60151F38593D65846E65832CC7E8FF7F1F62C84B45D6BB6EE
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 12, 2021 15:20:39.772207022 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:39.772475958 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:39.932341099 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:39.932411909 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:39.932488918 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:39.932564020 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:39.941368103 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:39.941838026 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.101120949 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.101802111 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.102020025 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.102051020 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.102140903 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.102190971 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.102319956 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.102344990 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.102369070 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.102437973 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.102463007 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.102535009 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.102559090 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.102572918 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.102606058 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.102627993 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.102786064 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.103854895 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.103888988 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.104006052 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.104886055 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.104908943 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.105012894 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.144195080 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.145546913 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.149873018 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.150078058 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.150377035 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.305769920 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.305795908 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.305886030 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.307378054 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.307693958 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.307710886 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.307780981 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.307810068 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.308273077 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.311198950 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.311223984 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.311290026 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.311333895 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.334723949 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.334841013 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:20:40.411098003 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.411123991 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.509921074 CEST	443	49724	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.509951115 CEST	443	49725	207.241.224.2	192.168.2.3
Jul 12, 2021 15:20:40.570688009 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.570852995 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.570918083 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.571011066 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.571331978 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.571893930 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.729294062 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.729592085 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.729623079 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.729701996 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.729722977 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.729789972 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.729827881 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.731554031 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.731769085 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.731854916 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.731856108 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.731882095 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.731895924 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.731915951 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.731961012 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.732563019 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.732579947 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.732654095 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.732682943 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.734802008 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.734826088 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.734920979 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.734937906 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.740775108 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.741149902 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.741818905 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.744579077 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.744946003 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.899055958 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.899091959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.899156094 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.899205923 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.899264097 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.899687052 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.899725914 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.900120020 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.900593996 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.900629997 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.900655985 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.900688887 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.900721073 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.900722027 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.900758982 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.900764942 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.900769949 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.900780916 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.900840044 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.900863886 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.900937080 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.900947094 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.900952101 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.900969982 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.901056051 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.901093006 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.901129007 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.901140928 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.904706955 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.907968044 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.907998085 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.908014059 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.908030987 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:40.908071041 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.908107996 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:40.908948898 CEST	49727	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.057595968 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.057626963 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.057718039 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.057756901 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.057857037 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.057921886 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.058128119 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.058188915 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.058401108 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.058902025 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.058928013 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.058950901 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.058963060 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.058986902 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059020996 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059082985 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059086084 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059103012 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059144020 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059158087 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059181929 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059199095 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059202909 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059227943 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059247017 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059251070 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059251070 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059269905 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059277058 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059288979 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059302092 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059317112 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059325933 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059350967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059350967 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059370995 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059376955 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059387922 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059401035 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059421062 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059425116 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059433937 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059448004 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059473991 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059473991 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059489012 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059498072 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.059520960 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.059540987 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.068535089 CEST	443	49727	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.215646982 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.215686083 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.215708971 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.215735912 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.215759039 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.215760946 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.215786934 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.215792894 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.215796947 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.215812922 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.215841055 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.215920925 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.216012955 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.216067076 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.216080904 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.216125011 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217485905 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217539072 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217561960 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217578888 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217593908 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217612982 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217638969 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217685938 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217710018 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217714071 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217716932 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217792988 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217820883 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217838049 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217853069 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217865944 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217879057 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217894077 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217916965 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217925072 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217942953 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.217946053 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217977047 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217979908 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217983007 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.217983007 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218008041 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218039989 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218049049 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218050003 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218107939 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218108892 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218167067 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218172073 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218205929 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218262911 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218389034 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218457937 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218487978 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218512058 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218533993 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218539000 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218549013 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218552113 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218554974 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218559027 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218564034 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218581915 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218596935 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218605042 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218611002 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218628883 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218635082 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218657017 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218677998 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218728065 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218750000 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218771935 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218805075 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218807936 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218830109 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218832016 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218863010 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218899965 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218878031 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218920946 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218943119 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.218943119 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.218997955 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.219022036 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.219059944 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.219084024 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.219223976 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.219302893 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.374670982 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.374690056 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.374707937 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.374726057 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.374742985 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.374777079 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.374782085 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.374800920 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.374819994 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.374824047 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.374927998 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.374931097 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.374958038 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.374974012 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.374989986 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.375036001 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.375041962 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.375045061 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.375047922 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.375164032 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.375273943 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.375288010 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.375293970 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.375305891 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.375324965 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.375329971 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.375376940 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.376127958 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.376154900 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.376208067 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.376233101 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.376280069 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.376298904 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.376313925 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.376328945 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.376346111 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.376363993 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.376363993 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.376373053 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.376415014 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.376429081 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.377146959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.377207041 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.377278090 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.377301931 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.377332926 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.377346039 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.377487898 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.377540112 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.377573967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.377640009 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.377671957 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.377693892 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.377711058 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.377722979 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.377743006 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.377768993 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378103018 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378128052 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378146887 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378161907 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378175974 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378211021 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378221035 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378268003 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378390074 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378427982 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378448009 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378469944 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378489017 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378511906 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378532887 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378552914 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378572941 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378592968 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378612995 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378634930 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378657103 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378679991 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378689051 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378705025 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378706932 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378710032 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378714085 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378715992 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378719091 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378721952 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378722906 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378726006 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378729105 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.378761053 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378778934 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378941059 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378958941 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378974915 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.378990889 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379007101 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379024029 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379040003 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379059076 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379173994 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379214048 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379234076 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379237890 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379240990 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379242897 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379245996 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379249096 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379251957 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379256010 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379276037 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379312038 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379331112 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379363060 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379391909 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379410028 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379456997 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379471064 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379475117 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379477978 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379482031 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379484892 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379544020 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379688978 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379765987 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379829884 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.379841089 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379874945 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379906893 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.379913092 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381329060 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381347895 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381357908 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381449938 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381457090 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381516933 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381521940 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381571054 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381620884 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381644011 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381658077 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381674051 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381689072 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381705046 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381715059 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381719112 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381728888 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381736994 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381738901 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381758928 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381759882 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381767035 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381783009 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381797075 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381808996 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381829023 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381844044 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381860018 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381861925 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381877899 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381880045 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381897926 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381901026 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381922007 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.381922960 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381951094 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.381966114 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533130884 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533164978 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533176899 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533196926 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533215046 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533231020 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533253908 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533286095 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533303022 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533308029 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533328056 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533355951 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533377886 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533396959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533413887 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533431053 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533447981 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533461094 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533474922 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533487082 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533514023 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533579111 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533601999 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533627987 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533653975 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533662081 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533668041 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533678055 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533691883 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533700943 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533714056 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533725023 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533740997 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533749104 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533761024 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533772945 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533781052 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533797026 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533802032 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533823967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533824921 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533845901 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533849955 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533860922 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533869028 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533890963 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533890963 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533912897 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533921003 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533936024 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533943892 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533958912 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533967972 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.533982992 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.533987999 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534010887 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534025908 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534035921 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534060955 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534080982 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534101963 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534132004 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534179926 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534317970 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534354925 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534410954 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534430981 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534605980 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534648895 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534673929 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534713984 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534722090 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534746885 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534750938 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534750938 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534775019 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534781933 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534806967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534809113 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534828901 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534833908 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.534883976 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.534909964 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535341978 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535376072 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535399914 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535423040 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535445929 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535469055 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535495043 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535520077 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535520077 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535542965 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535571098 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535576105 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535578966 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535582066 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535584927 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535588026 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535590887 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535593987 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535725117 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535752058 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535775900 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535799026 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535823107 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535844088 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535866976 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535891056 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535918951 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535944939 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535968065 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.535990953 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.535993099 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.536005020 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.536009073 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.536010981 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.536014080 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.536015987 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.536019087 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.536021948 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.536025047 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.536068916 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.537244081 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.537277937 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.537321091 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.537341118 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.537364006 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.537420988 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.537421942 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.537476063 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.537513018 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.537575006 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.537589073 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.537612915 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.537635088 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.537646055 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.537683010 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.537722111 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.537745953 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.537781000 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.537803888 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.537971973 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538031101 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538043976 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538077116 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538098097 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538104057 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538125992 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538137913 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538158894 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538167953 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538187027 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538197041 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538216114 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538224936 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538245916 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538256884 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538274050 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538283110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538307905 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538314104 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538331985 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538341999 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538357973 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538369894 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538369894 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538417101 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538520098 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538552046 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538579941 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538579941 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538598061 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538608074 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538630962 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538640976 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538672924 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538703918 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538746119 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538762093 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538764954 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538769007 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538770914 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538815975 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538861036 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538889885 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538916111 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.538921118 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.538979053 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.539005041 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.539016962 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.539020061 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.539020061 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.539072990 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540060997 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540118933 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540254116 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540301085 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540302992 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540337086 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540357113 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540374994 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540379047 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540412903 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540417910 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540450096 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540478945 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540491104 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540518999 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540528059 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540529966 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540560961 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540582895 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540601969 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540601969 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540653944 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540671110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540704012 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540725946 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540740013 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540744066 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540781975 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540808916 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540837049 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540863037 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540863991 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540887117 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540904045 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540906906 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540941000 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540947914 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.540975094 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.540993929 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541009903 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541032076 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541048050 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541073084 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541089058 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541093111 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541136026 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541181087 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541204929 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541220903 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541234970 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541239023 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541261911 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541300058 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541336060 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541337967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541342974 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541346073 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541378021 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541380882 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541413069 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541434050 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541451931 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541456938 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541487932 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541515112 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541527987 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541558981 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541574001 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541587114 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541610003 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541635036 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541649103 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541682959 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541690111 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541691065 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541728973 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541754007 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541769981 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541775942 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541809082 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541831017 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541845083 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541866064 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541891098 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541898012 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541930914 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541954041 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.541968107 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.541974068 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542005062 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542026997 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542042971 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542047977 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542082071 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542083025 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542125940 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542145967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542176962 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542201042 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542216063 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542236090 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542251110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542272091 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542288065 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542311907 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542327881 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542330980 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542365074 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542386055 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542402029 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.542414904 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.542449951 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.701822996 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.702038050 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.753638983 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753696918 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753726006 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753751040 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753778934 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753804922 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753818989 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.753829956 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753856897 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753860950 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.753868103 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.753871918 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.753881931 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753906012 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.753906012 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753925085 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753947020 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753961086 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.753972054 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.753990889 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754024029 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754059076 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754081011 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754105091 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754107952 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754127026 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754151106 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754151106 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754173994 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754189968 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754196882 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754219055 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754219055 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754241943 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754271030 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754370928 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754373074 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754395962 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754425049 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754457951 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754484892 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754511118 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754533052 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754537106 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754561901 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754565954 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754584074 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754590034 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754618883 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754635096 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754651070 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754678965 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754695892 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754729033 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754776001 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754817963 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754825115 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754848003 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754870892 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754895926 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754904032 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754924059 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.754949093 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.754975080 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809387922 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809432030 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809459925 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809478045 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809536934 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809561014 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809585094 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809611082 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809626102 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809633017 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809659004 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809659958 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809679985 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809683084 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809700966 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809710979 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809743881 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809760094 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809796095 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809813023 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809815884 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809833050 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809844971 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809879065 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809880972 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809902906 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.809926033 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.809956074 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810024977 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810045958 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810070038 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810071945 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810091019 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810103893 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810137033 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810137987 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810198069 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810199022 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810225964 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810245991 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810247898 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810271025 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810297966 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810298920 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810316086 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810336113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810345888 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810374975 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810383081 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810405016 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810426950 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810427904 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810465097 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810497999 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810520887 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810543060 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810568094 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810625076 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810647964 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810668945 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810669899 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810697079 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810719967 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810743093 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810765028 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810786009 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810786963 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810802937 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810826063 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810830116 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810852051 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810856104 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810873032 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810893059 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810894012 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810915947 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810924053 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810956955 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.810966015 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.810988903 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811008930 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811028957 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811038017 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811075926 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811084986 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811099052 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811127901 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811155081 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811176062 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811223984 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811280966 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811309099 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811328888 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811331987 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811352968 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811361074 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811374903 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811383009 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811397076 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811405897 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811428070 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811451912 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811486006 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811516047 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811531067 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811537981 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811564922 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811582088 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811644077 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811667919 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811688900 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811691046 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811722040 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811743021 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811784029 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811809063 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811829090 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811829090 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811858892 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.811861992 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811882973 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.811903954 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812033892 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812062979 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812089920 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812096119 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812119007 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812140942 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812144995 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812170029 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812170982 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812194109 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812203884 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812222958 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812232018 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812238932 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812272072 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812366962 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812396049 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812418938 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812421083 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812450886 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812454939 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812473059 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812484980 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812496901 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812511921 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812520027 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812539101 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812541962 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812566042 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812582970 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812592030 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812616110 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812618017 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812635899 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812657118 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812693119 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812714100 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812736988 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812760115 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812769890 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812799931 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812808990 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812843084 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812889099 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812917948 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812947035 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812963963 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.812987089 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.812989950 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813010931 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813034058 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813046932 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813075066 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813098907 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813102961 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813118935 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813128948 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813149929 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813174963 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813211918 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813241959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813262939 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813272953 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813288927 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813290119 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813313961 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813317060 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813363075 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813366890 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813379049 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813394070 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813417912 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813426971 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813441038 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813457966 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813477993 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813483000 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813503981 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813510895 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813529015 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813535929 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.813554049 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.813580990 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.860774994 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.860800028 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.860814095 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.860837936 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.860857964 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.860869884 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.860882044 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.860908031 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.860932112 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.860953093 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.860980988 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.860984087 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.860986948 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861026049 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861052990 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861104965 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861120939 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861151934 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861161947 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861193895 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861221075 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861262083 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861316919 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861336946 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861352921 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861361027 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861381054 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861397982 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861402035 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861438990 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861440897 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861459970 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861479998 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861500025 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861578941 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861627102 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861634016 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861671925 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861737967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861758947 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861780882 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861782074 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861799955 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861802101 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861820936 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861825943 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861849070 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861870050 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861886024 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861917973 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.861937046 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.861964941 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.862133980 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.862159967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.862181902 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.862200022 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.862207890 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.862216949 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.862226009 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.862232924 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.862250090 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.862267017 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.862276077 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.862299919 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.862328053 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.862329960 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.862395048 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.863715887 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863749027 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863766909 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863780975 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863792896 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863805056 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863821983 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863823891 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.863837957 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863847017 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.863856077 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863873959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863894939 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863898039 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.863910913 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863919973 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.863929033 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863945961 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863955021 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.863962889 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863975048 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863977909 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.863991022 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.863996983 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.864008904 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.864032030 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.864053011 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.864068031 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.911947012 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.911973953 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912028074 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912045956 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912098885 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912097931 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912122011 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912127018 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912169933 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912277937 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912307978 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912321091 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912370920 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912379980 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912400961 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912404060 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912420988 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912441015 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912470102 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912492990 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912511110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912528038 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912542105 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912559986 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912580967 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912617922 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912818909 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912837982 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912853956 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912870884 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912889957 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912889004 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912906885 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912914038 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.912923098 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912939072 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.912957907 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.913182020 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.913512945 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.913569927 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.915730953 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.915755987 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.915767908 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.915841103 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.915880919 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.915900946 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.915913105 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.915925980 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.915927887 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.915944099 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.915973902 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.916004896 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.916024923 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.916043997 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.916054964 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.916059971 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.916085958 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.916134119 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.967920065 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.967953920 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968044996 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968077898 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968194962 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968250036 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968446970 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968501091 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968568087 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968614101 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968698978 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968720913 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968739033 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968750000 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968780994 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968791008 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968816042 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968832970 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968852997 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968861103 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968871117 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968887091 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968894005 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968924999 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.968939066 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968955040 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.968986034 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969011068 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969223976 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969244003 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969263077 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969278097 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969280958 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969297886 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969300985 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969341040 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969471931 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969491005 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969506979 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969518900 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969553947 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969595909 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969613075 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969640970 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969676971 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969755888 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969774008 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969805956 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969835043 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969858885 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969876051 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969892025 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969902039 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969954967 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.969976902 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.969994068 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970010996 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970021009 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970053911 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970104933 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970123053 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970151901 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970186949 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970236063 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970280886 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970344067 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970362902 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970374107 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970395088 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970419884 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970491886 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970555067 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970622063 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970639944 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970657110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970665932 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970674038 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970695019 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970724106 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.970761061 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.970813036 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.971218109 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.971273899 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.971286058 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.971292019 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.971321106 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.971338987 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.971400976 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.971420050 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:41.971445084 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:41.971641064 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.130803108 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.130873919 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.130877972 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.130928040 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.130929947 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.130975008 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.130981922 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131027937 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131031990 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131077051 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131089926 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131174088 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131196976 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131215096 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131232023 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131278038 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131283998 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131314993 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131331921 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131377935 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131382942 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131424904 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131445885 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131489038 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131493092 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131536007 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131537914 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131582975 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131588936 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131633997 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131642103 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131700039 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131707907 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131753922 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131835938 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131886005 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131886959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131932020 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131939888 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.131984949 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.131989002 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132031918 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132045984 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132091999 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132100105 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132144928 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132158041 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132203102 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132215023 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132261038 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132267952 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132313013 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132318020 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132359982 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132369041 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132410049 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132419109 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132462978 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132468939 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132510900 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132519960 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132567883 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132570982 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132616043 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132627964 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132674932 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.132680893 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.132725954 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.134905100 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.134963036 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135242939 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135252953 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135301113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135324001 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135343075 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135351896 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135360003 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135369062 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135376930 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135387897 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135390997 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135409117 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135411024 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135430098 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135442972 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135447979 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135463953 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135468006 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135481119 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135492086 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135499001 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135509014 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135515928 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135528088 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135533094 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135550022 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135552883 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135572910 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135584116 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135592937 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135612965 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135632992 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135634899 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135654926 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135668993 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135680914 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135688066 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135698080 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135710955 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135710955 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135727882 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135740995 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135744095 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135757923 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135761023 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135773897 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135787964 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135792017 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135811090 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135818005 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135827065 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135835886 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135843992 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135860920 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135868073 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135878086 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135900021 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135916948 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135922909 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135936022 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135952950 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135953903 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.135967016 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135979891 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.135987997 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136001110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136015892 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136022091 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136045933 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136050940 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136069059 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136070013 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136094093 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136094093 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136111975 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136115074 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136127949 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136143923 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136147022 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136157990 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136168957 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136183023 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136188030 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136198044 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136202097 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136214018 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136219978 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136230946 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136236906 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136250973 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136254072 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136264086 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136281013 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136285067 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136303902 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136311054 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136321068 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136331081 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136338949 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136356115 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136356115 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136368036 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136375904 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136392117 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136399984 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136410952 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136419058 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136432886 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136445999 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136451006 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136467934 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136470079 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136485100 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136497021 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136502028 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136518002 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136526108 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136534929 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136550903 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136560917 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136569977 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136580944 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136589050 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136605978 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136614084 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136621952 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136639118 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136643887 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136657000 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136671066 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136674881 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136701107 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136718988 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136728048 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136739016 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136743069 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136758089 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136770010 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136773109 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136786938 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136794090 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136807919 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136816978 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136826992 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136842966 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136852980 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136859894 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136873960 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136877060 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136893988 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136908054 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136909962 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136926889 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136936903 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136946917 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136961937 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.136965990 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136984110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.136989117 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137001991 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137017965 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137027979 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137031078 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137044907 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137048006 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137065887 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137075901 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137082100 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137090921 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137099981 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137110949 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137115002 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137132883 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137144089 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137144089 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137164116 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137171030 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137181044 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137190104 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137193918 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137207031 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137223005 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137232065 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137236118 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137253046 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137263060 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137268066 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.137284040 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.137310028 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.290133953 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290169001 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290230989 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.290258884 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.290390015 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290429115 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290457964 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.290513039 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.290555954 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290591955 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290616035 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.290616989 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290659904 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290678024 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290688038 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.290736914 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.290747881 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.290893078 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290941000 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.290955067 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291016102 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291076899 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291096926 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291156054 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291166067 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291299105 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291318893 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291327000 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291340113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291363955 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291385889 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291409969 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291441917 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291448116 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291511059 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291551113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291574955 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291591883 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291600943 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291661024 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291667938 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291703939 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291727066 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291727066 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291747093 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291790962 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291820049 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291838884 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291867971 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291893005 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.291944981 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.291946888 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.292049885 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.296371937 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.296411037 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.296439886 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.296473980 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.296637058 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.296683073 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.296694994 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.296710014 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.296734095 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.296758890 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.296827078 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.296834946 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.296859026 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.296889067 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.296933889 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.296961069 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297003984 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297017097 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297025919 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297051907 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297060966 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297075987 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297089100 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297122002 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297199011 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297221899 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297246933 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297277927 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297291040 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297321081 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297322035 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297373056 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297442913 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297452927 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297519922 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297533989 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297579050 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297599077 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297641039 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297650099 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297666073 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297688961 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297700882 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297732115 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297750950 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297776937 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297801018 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297846079 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297863960 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297888994 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297909975 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297914028 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297933102 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.297960043 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.297988892 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298001051 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298032999 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298051119 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298089027 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298116922 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298141956 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298163891 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298170090 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298218012 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298223019 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298244953 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298270941 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298273087 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298325062 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298358917 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298409939 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298413992 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298440933 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298463106 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298464060 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298491001 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298521996 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298604965 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298630953 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298651934 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298655033 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298676014 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298679113 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298710108 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298743963 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298758030 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298780918 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298804045 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298806906 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298827887 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298854113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298856020 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298876047 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298897982 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298909903 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298921108 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.298953056 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298990965 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.298996925 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.299024105 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.299046993 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.299062967 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.299069881 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.299093962 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.299127102 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.299132109 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.299141884 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.299159050 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.299186945 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.299213886 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.448069096 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448115110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448156118 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448170900 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448185921 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448204041 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448213100 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.448221922 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448318005 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.448585987 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448676109 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448678017 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.448729038 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448729992 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.448792934 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.448810101 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448836088 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448858976 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448883057 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.448968887 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.449305058 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.449382067 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.449412107 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.449501038 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.449652910 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.449681044 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.449717999 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.449774027 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.449786901 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.449841976 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.449888945 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.449956894 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.454833984 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.454864025 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.454952955 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.455012083 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.455157995 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455183983 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455207109 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455226898 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455245018 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.455248117 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455272913 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455296040 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455317974 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455343962 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455348969 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.455368042 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455389977 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455410957 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455437899 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.455463886 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455496073 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.455585957 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.455611944 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455678940 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.455813885 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.455890894 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.456044912 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.456073046 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.456095934 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.456126928 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.456219912 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.456382036 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.456402063 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.456459045 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.456486940 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.456510067 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.456517935 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.456552982 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.456655979 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.456681013 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.456712008 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.456727028 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.457174063 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.457209110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.457242012 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.457264900 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.457377911 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.457437992 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.457461119 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.457473040 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.457499027 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.457542896 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.457545996 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.457593918 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.457874060 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.457937002 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.457957029 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.457983017 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458008051 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458015919 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458031893 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458049059 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458056927 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458080053 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458087921 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458102942 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458122969 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458153009 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458156109 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458175898 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458203077 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458226919 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458230019 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458278894 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458282948 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458326101 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458329916 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458364964 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458386898 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458415031 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458431959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458456039 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458479881 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458489895 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458506107 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458522081 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458529949 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458555937 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458561897 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458580971 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458596945 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458604097 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458631992 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458686113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458692074 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458734989 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458750010 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458796024 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458806038 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458842039 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458858013 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458890915 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458914995 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458915949 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458935022 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458956957 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.458961010 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.458981991 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.459007025 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.459023952 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.459024906 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.459069014 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.459487915 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.459539890 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.606632948 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.606676102 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.606699944 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.606774092 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.606780052 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.606798887 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.606820107 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.606861115 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.606882095 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.606885910 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.606903076 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.606928110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.606951952 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607043028 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607072115 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607141972 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607151031 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607182026 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607203960 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607228041 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607242107 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607279062 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607280016 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607332945 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607359886 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607374907 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607398033 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607412100 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607434988 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607455015 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607477903 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607521057 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607544899 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607562065 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607566118 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607610941 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607615948 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607641935 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607666969 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607691050 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607724905 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607747078 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607754946 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607805967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607829094 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607831001 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607850075 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607884884 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607886076 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607908010 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607942104 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.607983112 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.607992887 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.608058929 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.608068943 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.608129978 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.612602949 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.612705946 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.612713099 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.612787008 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.613626003 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.613708019 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.613714933 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.613758087 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.613794088 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.613805056 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.613852024 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.613873959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.613879919 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.613934994 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.613960028 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.613976002 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614007950 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614029884 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614042044 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614078999 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614082098 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614115953 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614142895 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614151001 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614187956 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614211082 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614228010 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614265919 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614291906 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614303112 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614339113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614371061 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614389896 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614415884 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614434004 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614444971 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614470005 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614495039 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614516973 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614521027 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614547968 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614574909 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614603996 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614629984 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614634037 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614672899 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614676952 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614711046 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614733934 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614752054 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614800930 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614803076 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614856005 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614883900 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.614892960 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614937067 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614969015 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.614969015 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615004063 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615041971 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615045071 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615082979 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615107059 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615150928 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615173101 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615185976 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615231991 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615266085 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615287066 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615312099 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615318060 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615326881 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615348101 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615370035 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615390062 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615403891 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615411043 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615433931 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615454912 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615473986 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615477085 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615495920 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615516901 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615535021 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615536928 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615561008 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615586042 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615598917 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615607977 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615634918 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615655899 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615678072 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615684032 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615700960 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615724087 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615741014 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615746021 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615762949 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615781069 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615798950 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615799904 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615814924 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615830898 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615847111 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615860939 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615863085 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615919113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615920067 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.615937948 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615955114 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.615976095 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616039038 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616051912 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616091967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616117001 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616179943 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616189957 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616219044 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616240978 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616249084 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616261959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616285086 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616300106 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616305113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616344929 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616370916 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616381884 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616417885 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616425991 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616457939 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616497993 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616564035 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616578102 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616589069 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616610050 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616661072 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616662025 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616684914 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616707087 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616743088 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616744995 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616761923 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616791010 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616811991 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616816998 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616831064 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616854906 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616888046 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616935015 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.616947889 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.616966963 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617027998 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617058039 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617094040 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617124081 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617151976 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617176056 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617197990 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617198944 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617219925 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617240906 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617253065 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617259979 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617280006 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617332935 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617352009 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617399931 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617461920 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617481947 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617530107 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617600918 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617630959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617650032 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617671967 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617693901 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617698908 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617716074 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617743969 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617764950 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617794991 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617806911 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617820024 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617839098 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617856979 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617889881 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617906094 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617954969 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.617959023 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.617978096 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618007898 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618014097 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618038893 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618066072 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618072987 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618134022 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618151903 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618177891 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618201971 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618202925 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618230104 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618257999 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618259907 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618280888 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618304014 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618313074 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618326902 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618349075 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618349075 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618371010 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618380070 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618390083 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618411064 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618428946 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618432045 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618455887 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618479013 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618482113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618501902 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618515015 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618541002 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618576050 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618607044 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618863106 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618890047 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618908882 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618927002 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.618931055 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618959904 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618971109 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.618988037 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.619004011 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.619055986 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.619091034 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.619146109 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.619178057 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.619193077 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.619206905 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.619230986 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.765065908 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.765394926 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.765688896 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.765791893 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.765888929 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.765917063 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.765938997 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.765975952 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.765980005 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.766060114 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.766127110 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766181946 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766205072 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766228914 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.766230106 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766275883 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766294956 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766294956 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.766318083 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766367912 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.766426086 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.766705990 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766755104 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766777992 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766813993 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766824961 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.766832113 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766855001 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766877890 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766908884 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.766938925 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.766984940 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.767026901 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767059088 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.767060041 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767085075 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767106056 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.767143965 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767169952 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767180920 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.767193079 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767261028 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.767266989 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767291069 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767313004 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767334938 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767345905 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.767357111 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767398119 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.767452955 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.767461061 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767486095 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767508984 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767533064 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.767534018 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.767601013 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.770558119 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.770646095 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.770653009 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.770848036 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.773947001 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.773988008 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774012089 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774039030 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774051905 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774102926 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774133921 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774162054 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774210930 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774362087 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774390936 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774405956 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774427891 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774430037 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774477959 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774502039 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774544954 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774554014 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774586916 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774620056 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774632931 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774669886 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774702072 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774709940 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774764061 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774787903 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774823904 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774851084 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774873018 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774873972 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774929047 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.774938107 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774962902 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.774986982 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.775039911 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.775096893 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.775103092 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.775105000 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.775134087 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.775156021 CEST	443	49726	207.241.228.150	192.168.2.3
Jul 12, 2021 15:20:42.775161028 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:20:42.775202036 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:21:03.382239103 CEST	49725	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:21:03.382384062 CEST	49724	443	192.168.2.3	207.241.224.2
Jul 12, 2021 15:21:03.382606983 CEST	49726	443	192.168.2.3	207.241.228.150
Jul 12, 2021 15:21:03.382858992 CEST	49727	443	192.168.2.3	207.241.228.150

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 12, 2021 15:20:30.792671919 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:30.805702925 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:31.817423105 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:31.834106922 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:33.091845036 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:33.106437922 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:33.830226898 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:33.844559908 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:34.828819990 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:34.841103077 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:36.049758911 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:36.063311100 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:37.093735933 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:37.107237101 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:38.088161945 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:38.102972031 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:38.321455956 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:38.381149054 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:39.530738115 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:39.543806076 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:39.749670982 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:39.763417959 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:40.346354961 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:40.374916077 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:40.558942080 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:40.571894884 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:42.148948908 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:42.162688017 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:44.887959003 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:44.901201963 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:46.259274006 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:46.272397995 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:47.213666916 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:47.227446079 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:48.297440052 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:48.310853958 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:50.875387907 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:50.889250040 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 12, 2021 15:20:53.018423080 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:20:53.031266928 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:01.366873980 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:01.393691063 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:01.716191053 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:01.728946924 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:08.386976957 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:08.400981903 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:09.396245003 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:09.409037113 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:10.398161888 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:10.411336899 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:12.412054062 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:12.427480936 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:16.459386110 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:16.472527981 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:24.964405060 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:24.966015100 CEST	63619	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:24.980519056 CEST	53	63619	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:25.166039944 CEST	53	61292	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:25.386383057 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:25.400024891 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:25.765654087 CEST	61946	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:25.781270027 CEST	53	61946	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:26.267199039 CEST	64910	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:26.416455030 CEST	53	64910	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:26.852766991 CEST	52123	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:26.868109941 CEST	53	52123	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:27.282469034 CEST	56130	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:27.295367956 CEST	53	56130	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:27.961738110 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:28.096267939 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:28.518156052 CEST	59420	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:28.534601927 CEST	53	59420	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:29.184117079 CEST	58784	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:29.202024937 CEST	53	58784	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:33.440294981 CEST	63978	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:33.463110924 CEST	53	63978	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:44.506182909 CEST	62938	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:44.539284945 CEST	53	62938	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:45.395500898 CEST	55708	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:45.408652067 CEST	53	55708	8.8.8.8	192.168.2.3
Jul 12, 2021 15:21:46.078598976 CEST	56803	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:21:46.092247963 CEST	53	56803	8.8.8.8	192.168.2.3
Jul 12, 2021 15:22:14.780457020 CEST	57145	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:22:14.794770002 CEST	53	57145	8.8.8.8	192.168.2.3
Jul 12, 2021 15:22:17.831793070 CEST	55359	53	192.168.2.3	8.8.8.8
Jul 12, 2021 15:22:17.858563900 CEST	53	55359	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 12, 2021 15:20:39.749670982 CEST	192.168.2.3	8.8.8.8	0x1d1d	Standard query (0)	archive.org	A (IP address)	IN (0x0001)
Jul 12, 2021 15:20:40.346354961 CEST	192.168.2.3	8.8.8.8	0xe487	Standard query (0)	ia801500.us.archive.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 12, 2021 15:20:39.763417959 CEST	8.8.8.8	192.168.2.3	0x1d1d	No error (0)	archive.org		207.241.224.2	A (IP address)	IN (0x0001)
Jul 12, 2021 15:20:40.374916077 CEST	8.8.8.8	192.168.2.3	0xe487	No error (0)	ia801500.us.archive.org		207.241.228.150	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 12, 2021 15:20:40.103854895 CEST	207.241.224.2	443	192.168.2.3	49724	CN=*.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Mon Dec 23 14:16:33 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon Feb 21 23:56:08 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
Jul 12, 2021 15:20:40.104886055 CEST	207.241.224.2	443	192.168.2.3	49725	CN=*.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Mon Dec 23 14:16:33 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon Feb 21 23:56:08 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
Jul 12, 2021 15:20:40.732563019 CEST	207.241.228.150	443	192.168.2.3	49726	CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Mon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
Jul 12, 2021 15:20:40.734802008 CEST	207.241.228.150	443	192.168.2.3	49727	CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Mon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 2332 Parent PID: 792

General

Start time:	15:20:37
Start date:	12/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6d10c0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 1808 Parent PID: 2332

General

Start time:	15:20:38
Start date:	12/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2332 CREDAT:17410 /prefetch:2
Imagebase:	0xf80000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: unarchiver.exe PID: 4448 Parent PID: 2332

General

Start time:	15:21:03
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar'
Imagebase:	0xbb0000
File size:	10240 bytes
MD5 hash:	DB55139D9DD29F24AE8EA8F0E5606901
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: 7za.exe PID: 4600 Parent PID: 4448

General

Start time:	15:21:04
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\MCOPY.tar'
Imagebase:	0xbf0000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 4232 Parent PID: 4600

General

Start time:	15:21:04
Start date:	12/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 5776 Parent PID: 4448

General

Start time:	15:21:05
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 3868 Parent PID: 5776

General

Start time:	15:21:06
Start date:	12/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: RJCGQP.exe PID: 1488 Parent PID: 5776

General

Start time:	15:21:06
Start date:	12/07/2021
Path:	C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\fyhuigp3.w2x\RJCGQP.exe
Imagebase:	0x1330000
File size:	1573376 bytes
MD5 hash:	AD4B4A3179D923A637CEB9AC2E1CB00A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 48%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 5504 Parent PID: 1488

General

Start time:	15:21:08
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c A.exe /stext A.txt
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6084 Parent PID: 5504

General

Start time:	15:21:08
Start date:	12/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: A.exe PID: 5804 Parent PID: 5504

General

Start time:	15:21:09
Start date:	12/07/2021
Path:	C:\Users\user\AppData\Local\Temp\A.exe
Wow64 process (32bit):	true
Commandline:	A.exe /stext A.txt
Imagebase:	0x400000
File size:	227840 bytes
MD5 hash:	8104093918B6F2D2004535B24B1533BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, Metadefender, Browse Detection: 79%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4560 Parent PID: 1488

General

Start time:	15:21:20
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c B.exe /stext B.txt
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 4556 Parent PID: 4560

General

Start time:	15:21:20
Start date:	12/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: B.exe PID: 2396 Parent PID: 4560

General

Start time:	15:21:21
Start date:	12/07/2021
Path:	C:\Users\user\AppData\Local\Temp\B.exe
Wow64 process (32bit):	true
Commandline:	B.exe /stext B.txt
Imagebase:	0x400000
File size:	195584 bytes
MD5 hash:	62B2864C32CB33F57A65F47269D91BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, Metadefender, Browse Detection: 72%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: unarchiver.exe PID: 4448 Parent PID: 2332 unarchiver.exeCOMMON

Execution Graph

Execution Coverage:	22%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6%
Total number of Nodes:	67
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 053602A8, Relevance: 4.2, Strings: 3, Instructions: 481
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@:r, xrefs: 0536062E
u]-p^, xrefs: 05360345, 0536034A
X1ar, xrefs: 053606FA

Memory Dump Source

Source File: 00000007.00000002.332288736.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5360000_unarchiver.jbxd

Similarity

API ID:
String ID: :@:r$X1ar$u]-p^
API String ID: 0-4124039667
Opcode ID: 6f528bc06a08e4ba2ff982316008723954cf7aecb921da4784b26c5bbb053644
Instruction ID: 8b2327382301fa1eebe30390898946b87f419c69668d205e03f07d578784c533
Opcode Fuzzy Hash: 6f528bc06a08e4ba2ff982316008723954cf7aecb921da4784b26c5bbb053644
Instruction Fuzzy Hash: E222D774E00218DFDB14DFA6D888B9DBBB2FF89301F1095AAD809A7255DB349D85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 014AB042, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 014AB074

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 1500c856e2b06a91a29e14b6ca8c757c8db309911f12afb4ed4f821072e5c982
Instruction ID: 6f14d9fda08d5920ce696456ce87b15fd9fd86e82f7a78fb40a2940b71ee756b
Opcode Fuzzy Hash: 1500c856e2b06a91a29e14b6ca8c757c8db309911f12afb4ed4f821072e5c982
Instruction Fuzzy Hash: AF01ADB4804244DFDB10CF29D884766FFE4EF44320F98C4ABDE489F266D2B5A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014AB0B2, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 014AB15F

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bea91b33aa3f6b0faea8ffaedd004f18502c3e63668e095f9da386a2f2761f25
Instruction ID: 7906fff6f87042484e5d8adcd5acc7930ecd2e7deab46d39bd4d0711c26f60e0
Opcode Fuzzy Hash: bea91b33aa3f6b0faea8ffaedd004f18502c3e63668e095f9da386a2f2761f25
Instruction Fuzzy Hash: A331B272404344AFEB228F65DC44F67BFACEF46320F04899BF985DB162D224A819CB71

Uniqueness

Uniqueness Score: -1.00%

Function 014AAB70, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 014AAC13

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b71dc8c5d5d7decf995e591d7d4b4fefe3a5c7749b2259265d36903c8cc3f0ea
Instruction ID: 634d25ad635eb9c6138fe87f3480ef2a896be77e3e9b318c0caaf5732b6bdbe1
Opcode Fuzzy Hash: b71dc8c5d5d7decf995e591d7d4b4fefe3a5c7749b2259265d36903c8cc3f0ea
Instruction Fuzzy Hash: FD31B572404344AFEB228F65DC44F67BFACEF46720F0488ABF985DB152D224A415DB61

Uniqueness

Uniqueness Score: -1.00%

Function 014AA504, Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 014AA5A9

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d775c499a09efb5493d42d79fd0d1d01da4b4860e7e7b736bc570f8b6892904b
Instruction ID: ff8830e19f88138acbdab6362b42e18efbcf53d565648f4c6b2737cf255bde6f
Opcode Fuzzy Hash: d775c499a09efb5493d42d79fd0d1d01da4b4860e7e7b736bc570f8b6892904b
Instruction Fuzzy Hash: 6F3190B1504380AFE722CF25CC44F66BFE8EF45610F18849EE9858B252D375E805CB71

Uniqueness

Uniqueness Score: -1.00%

Function 014AA9E2, Relevance: 1.6, APIs: 1, Instructions: 91
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 014AAAA2

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 550fa28cff813037e6c6ba5544e7b68fac17cf0ef80afa2f4eef4af28609e4f3
Instruction ID: 3f315beb2a9ca162a9f98bfeeada2964ff41a9a518ca538ee2aa5349e7d8e0a5
Opcode Fuzzy Hash: 550fa28cff813037e6c6ba5544e7b68fac17cf0ef80afa2f4eef4af28609e4f3
Instruction Fuzzy Hash: C0318F6640E3C46FD3138B718C61A55BFB4AF87610F1D84CBD8C48F2A3D2686919C762

Uniqueness

Uniqueness Score: -1.00%

Function 014AA120, Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 014AA1C2

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: aa806332eb98fb5af2efff3040fea6ae6b6c238fb839dcfaa3e95a43a646571b
Instruction ID: 500be0e80abce57b1b2982bfa9b119c8d9f6beec3ad0bf40d45f7eb659b3662a
Opcode Fuzzy Hash: aa806332eb98fb5af2efff3040fea6ae6b6c238fb839dcfaa3e95a43a646571b
Instruction Fuzzy Hash: 7821947140D3C06FD7128B758C51B62BFB4EF87620F1985DBE9848F193D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 014AB0E2, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 014AB15F

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f1beefe87af888080df4292fd387eaffe579f8b3ac0e70bd5cc8e9828f80028c
Instruction ID: b3e335e322d698b56365a118fefe585994cf7b49fe9d823c4a1eac1c2d92c8cc
Opcode Fuzzy Hash: f1beefe87af888080df4292fd387eaffe579f8b3ac0e70bd5cc8e9828f80028c
Instruction Fuzzy Hash: 5F21CF72500204AFEB219F68DC84F6BFBACEF48320F04896BFE45DB251D670A4098B71

Uniqueness

Uniqueness Score: -1.00%

Function 014AAB96, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 014AAC13

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e86753a4f26b45b9f26f8f34639602848d0bf44fcb483f3175c39f87875a1aa4
Instruction ID: 6e9a51639368e7109cec6bfc6222c767ab02218a155a691385526c275b7cbd62
Opcode Fuzzy Hash: e86753a4f26b45b9f26f8f34639602848d0bf44fcb483f3175c39f87875a1aa4
Instruction Fuzzy Hash: 4521B272500604AFFB219F64DC84F6BBBACEF44720F14886BEA459B251D670A409CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014AA77C, Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E2C,2D9C2B8D,00000000,00000000,00000000,00000000), ref: 014AA80A

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ce04d9f359cd3e0db18e5b6d590398206e323833ad6c720ca5e31ec530e3e45e
Instruction ID: a9fc0ac6e11baa2d0cfc11ea7485a901e109d37ba818b44f5313584ed81c108d
Opcode Fuzzy Hash: ce04d9f359cd3e0db18e5b6d590398206e323833ad6c720ca5e31ec530e3e45e
Instruction Fuzzy Hash: DF219071408380AFE7128B24DC40F66BFA8EF46720F1984ABE9849B253C264A809C771

Uniqueness

Uniqueness Score: -1.00%

Function 014AA85F, Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E2C,2D9C2B8D,00000000,00000000,00000000,00000000), ref: 014AA8ED

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 5ff93672fe884c5bf9568d33d217b348f61159af6eef6ac828bf805eaf79ce8f
Instruction ID: f49f6c71ae1668b5bd6f8f7f310846f522d43a8b0d4b163b5d92c6a7382c56f3
Opcode Fuzzy Hash: 5ff93672fe884c5bf9568d33d217b348f61159af6eef6ac828bf805eaf79ce8f
Instruction Fuzzy Hash: 11218371409380AFDB228F65DC44F57BFB8EF46310F18859BEA849F162C275A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 014AA52A, Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 014AA5A9

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1a9cad7fcf30e64e2105daef22b31b75d2c396acfe39bc3a952060b33c6fc718
Instruction ID: 3270d662146b5588c2857d6fa837116f01f225316febbddd0a07060a414bd349
Opcode Fuzzy Hash: 1a9cad7fcf30e64e2105daef22b31b75d2c396acfe39bc3a952060b33c6fc718
Instruction Fuzzy Hash: C7218C75500604AFEB21DF69CC84F66FBE8EF08720F14886AEA859B262D771E405CB75

Uniqueness

Uniqueness Score: -1.00%

Function 014AA6BB, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E2C,2D9C2B8D,00000000,00000000,00000000,00000000), ref: 014AA741

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 77d8e98ecd58cffc8f447ca1fd1ffeebc228a70af0141f4c68c41dde3fe70117
Instruction ID: e7ec521b5131e3b53928a11922d64a764629901debe818ad0f4dc2f89811f5d5
Opcode Fuzzy Hash: 77d8e98ecd58cffc8f447ca1fd1ffeebc228a70af0141f4c68c41dde3fe70117
Instruction Fuzzy Hash: 4221C3B54083846FE7128B25DC40FA6BFB8DF47720F1980DBE9849B253D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 014AA600, Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 014AA674

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ce1d974f7224f69d5ee5985431c393f0f7c6f61ea87bbe4dfb2e35a041195627
Instruction ID: 0792c29435afcf50832e171ab37ff492c15aac014b747ee91d99a282d921c853
Opcode Fuzzy Hash: ce1d974f7224f69d5ee5985431c393f0f7c6f61ea87bbe4dfb2e35a041195627
Instruction Fuzzy Hash: 5721A1B54093C4AFD7138B25DC55652BFB4AF53220F1980DBDD858F263D2659908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014AA448, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 014AA4AF

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2b1895c8977fd2b05b982327376bde3d1a3b7efd470dcae8901888b852d2fe8c
Instruction ID: e4807bf64839bf6be4fe87309d745617743a6d97f914e7141c799675b4ed2235
Opcode Fuzzy Hash: 2b1895c8977fd2b05b982327376bde3d1a3b7efd470dcae8901888b852d2fe8c
Instruction Fuzzy Hash: BA117F715053849FD722CF29DC89B56BFE8EF46220F1984ABED49CB262D274E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014AA88E, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E2C,2D9C2B8D,00000000,00000000,00000000,00000000), ref: 014AA8ED

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bc6b90a456ac3af89c592626ebd2bd281dd59243a19773bf2c664f55aa56cbbb
Instruction ID: 74f2321d9151a6bc4f92efa3d11e8b92d09a043c456864b6e6cfef9b1a47fdd6
Opcode Fuzzy Hash: bc6b90a456ac3af89c592626ebd2bd281dd59243a19773bf2c664f55aa56cbbb
Instruction Fuzzy Hash: A811BF71400204EFEB218F55DC80FA7FBA8EF59720F14886BEE499B261C275A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 014AA7AE, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E2C,2D9C2B8D,00000000,00000000,00000000,00000000), ref: 014AA80A

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: cf59c6d27e142b91076ee618d4445664db23d7839e443971426d296bcbf4dc62
Instruction ID: ed5e4a0e17c91a799d4f7f09408a7688c887d2ef087677e4c96df7eb16a23e9d
Opcode Fuzzy Hash: cf59c6d27e142b91076ee618d4445664db23d7839e443971426d296bcbf4dc62
Instruction Fuzzy Hash: F2118F71400204AFEB219F59DC84F66FBA8EF55720F14846BEE499B251D674A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 014AA46A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 014AA4AF

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 397629f9c0ff604d8f5cbdde41c76e8b01a709964194cc0a88b4dea520cfa5cb
Instruction ID: 7b70b486f8851431d657b46d10d101ba916870275eea0541b8905b6f58ea63f1
Opcode Fuzzy Hash: 397629f9c0ff604d8f5cbdde41c76e8b01a709964194cc0a88b4dea520cfa5cb
Instruction Fuzzy Hash: 70115E756006049FEB20CF29D889766FBD8EF55620F58C4BBED09CB752E674E404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014AA6EE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2D9C2B8D,00000000,00000000,00000000,00000000), ref: 014AA741

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 6f19747a0e2926cfdbbd9e38af4ba10f87f374d0bdbb77f3665d2c47bc76086d
Instruction ID: d37b839ab31264aed5312681843705340d5104047502a209f464c1bc1c6a6437
Opcode Fuzzy Hash: 6f19747a0e2926cfdbbd9e38af4ba10f87f374d0bdbb77f3665d2c47bc76086d
Instruction Fuzzy Hash: D6010475400204AEE7108B19CC84F67FFA8DF45720F648067EE059B251D274A405CA71

Uniqueness

Uniqueness Score: -1.00%

Function 014AADF7, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 014AAE50

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: ec558d2b4892b0fcbce07f35da8575250283a02a1c2c2c83460a0b8765752bde
Instruction ID: 9a0ca3757734ded0ebf18b8e0e1b0638713e09d6f6f70b172576b06f4ad0596d
Opcode Fuzzy Hash: ec558d2b4892b0fcbce07f35da8575250283a02a1c2c2c83460a0b8765752bde
Instruction Fuzzy Hash: CF1173755093849FD7128F29DC45A52FFF4EF46220F0984DBED858B263C275A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014AB020, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 014AB074

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9e2f52ba26f8686c1cffa5d66c17f288e39c397b9ceb7c926db73a84cc93938d
Instruction ID: bb32f7f41412a6c962bcb1de9debb25746ec105ce223419e03656e007e86e3fd
Opcode Fuzzy Hash: 9e2f52ba26f8686c1cffa5d66c17f288e39c397b9ceb7c926db73a84cc93938d
Instruction Fuzzy Hash: 0D117375409384AFD712CF25DC44B56FFA4DF46220F5884EBED849F253D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014AA23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 014AA290

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 9fbce2203624af50dc1598620aee6c404e1328329d6ea3ddc76a76387a52c329
Instruction ID: 0d09bf2f17bfa528932b2166d6946e8885543fe588b5690aba9c46536ba8cc6c
Opcode Fuzzy Hash: 9fbce2203624af50dc1598620aee6c404e1328329d6ea3ddc76a76387a52c329
Instruction Fuzzy Hash: D611A171409384AFD7228F15DC84B62FFB4DF56620F0880DBED848B263D275A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 014AAA52, Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 014AAAA2

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 090c7a0baeb2aabba848d26696330c404c5a0988648f4c826f3257e28e5fa081
Instruction ID: 562ead0decdf33629184c7c6b26a67bdb5a7473a3b16bd6871e2012c827e4361
Opcode Fuzzy Hash: 090c7a0baeb2aabba848d26696330c404c5a0988648f4c826f3257e28e5fa081
Instruction Fuzzy Hash: 9D015E76500601ABD610DF16DC85B26FBA8EB88B20F14856AED089B641E231B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 014AA172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 014AA1C2

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: d49f414835b77edd383da8042555a66cd9b3893c8b808d3b02e44f898dcc8ac1
Instruction ID: b6eb34fd99b10bf370598b9a4f9747661ee257e2a3a8e5cc041354871ec35bba
Opcode Fuzzy Hash: d49f414835b77edd383da8042555a66cd9b3893c8b808d3b02e44f898dcc8ac1
Instruction Fuzzy Hash: 26017175500601ABD710DF16DC85B36FBA8EBC8B20F14856AED089B741E335B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 014AA642, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 014AA674

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 654aed304f742a56dd71866b93fab7dca23ca4ba3f0b3eb882daaa506ed6f335
Instruction ID: d1b07977246ffc60a1a314dd3662e3eedcb63cbea123030b7df3a3efdbda1ab6
Opcode Fuzzy Hash: 654aed304f742a56dd71866b93fab7dca23ca4ba3f0b3eb882daaa506ed6f335
Instruction Fuzzy Hash: 8B018F759002449FDB11CF29D884766FFA4EF94220F58C4ABDD498B366D6B5A808CF62

Uniqueness

Uniqueness Score: -1.00%

Function 014AAE1E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 014AAE50

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 7375854b9536df2c5e5d873cb7a936e814b237752378362c1c4620dd6bd936fc
Instruction ID: 9acdfb281b442cd36051af4cc61752a4d9cb91131b7ec57421de54e8e6a0779b
Opcode Fuzzy Hash: 7375854b9536df2c5e5d873cb7a936e814b237752378362c1c4620dd6bd936fc
Instruction Fuzzy Hash: B501D1755006459FDB108F19D885767FF94DF08730F18C0ABDE098B362D2B5A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014AA25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 014AA290

Memory Dump Source

Source File: 00000007.00000002.330922034.00000000014AA000.00000040.00000001.sdmp, Offset: 014AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14aa000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8b3a5b8450a14bb2f962cc66c8eafb0b7ac57ecd6d9be809cdeaaf96ebddb61a
Instruction ID: c5dd68420bcc640a88c4c9a563eb52bc2b34ede37222413a11f6740b7158efea
Opcode Fuzzy Hash: 8b3a5b8450a14bb2f962cc66c8eafb0b7ac57ecd6d9be809cdeaaf96ebddb61a
Instruction Fuzzy Hash: 3FF0C835804644DFD710CF19D884762FF90DF19720F58C09BDD494B326D2B6A418CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E20872, Relevance: 1.0, Instructions: 979COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.331173786.0000000002E20000.00000040.00000040.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007c449f21ded8359d977b6cd4d20986960e8863d7fd57e84ccc75eea96c80c1
Instruction ID: 79930a02d09677247d62e4e78d5a5fa729ae390d656f4357ff51f1cacbac48ef
Opcode Fuzzy Hash: 007c449f21ded8359d977b6cd4d20986960e8863d7fd57e84ccc75eea96c80c1
Instruction Fuzzy Hash: 2E11A1E3C8A3804FD7464B2098990D57FB1DDA312431E45EBD486CF153E51E590FCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02E204AE, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.331173786.0000000002E20000.00000040.00000040.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4429b2b8f49ecc0be39faa35a1c1ebdff0db3c6d292aac256fca32156608d1
Instruction ID: 75b091212010e38e958bea3d180616a890e8a9db87800617c0cec61c713f2bfc
Opcode Fuzzy Hash: 9c4429b2b8f49ecc0be39faa35a1c1ebdff0db3c6d292aac256fca32156608d1
Instruction Fuzzy Hash: 7811496254E3C05FD3138B329C24851BFB49E8766071980DFE88ACF1A3D2296809CB63

Uniqueness

Uniqueness Score: -1.00%

Function 05360C30, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.332288736.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5360000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c672c98caed7a0775f43934b63e315b4dbe3315b4120d665161c36ffc4c2c223
Instruction ID: a7b96a38476502a3035b32e1e93e8586e2117fd597792c040aace95bb68e2ff2
Opcode Fuzzy Hash: c672c98caed7a0775f43934b63e315b4dbe3315b4120d665161c36ffc4c2c223
Instruction Fuzzy Hash: 5A51E770E42218DFDB19DFB9D484AAEBBB2FF8A300F249469D405B7350DB399942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05360AD8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.332288736.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5360000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec039c84bad65d89ab15eb492d118fe3e2d6fea3388b158a198041af2e7c16cb
Instruction ID: 180f75fd3af4da97d2d2422b2e7e6adde16b6333b51deb45b93f69409ab71e9a
Opcode Fuzzy Hash: ec039c84bad65d89ab15eb492d118fe3e2d6fea3388b158a198041af2e7c16cb
Instruction Fuzzy Hash: 14211675D05208DFCB05DFA5D4446EEBBB6FB89304F10852AD905A3254DB746E46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E207F8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.331173786.0000000002E20000.00000040.00000040.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858de5175f9082a140e74163b756ce5f4e7a0bea3dfb4a8b11a4119a2a941eee
Instruction ID: 075c4da1b5d7b7c461bd6aa25acbce309b0c41643c8c7970f2aa4d5482ee3d34
Opcode Fuzzy Hash: 858de5175f9082a140e74163b756ce5f4e7a0bea3dfb4a8b11a4119a2a941eee
Instruction Fuzzy Hash: E801D2B24093546FD7018F14EC41C97BBBCDB86620B08C46FFD499B602D265AA08CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 02E205AF, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.331173786.0000000002E20000.00000040.00000040.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326cec6a01307fe2fc0889941c6c2536982eea56d9080354517da68bce184ff4
Instruction ID: 15b3bc8093dba87688ed84249a5d2fe645201e2bdb1129f4d3997a89b6a12121
Opcode Fuzzy Hash: 326cec6a01307fe2fc0889941c6c2536982eea56d9080354517da68bce184ff4
Instruction Fuzzy Hash: 1401F5365083805FC7118F21EC41956BFA4EF46370F14C1EFE849CB252D225A409CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02E205CF, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.331173786.0000000002E20000.00000040.00000040.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe26f1269afe7258f5c5f10c262819919e67a8c9a21a65e076b1f4aba9c7bd3c
Instruction ID: a688ce645dc2e1e840ccaa6633d842cf7c9efe8782bf07faa15fd3d96ce3ac5d
Opcode Fuzzy Hash: fe26f1269afe7258f5c5f10c262819919e67a8c9a21a65e076b1f4aba9c7bd3c
Instruction Fuzzy Hash: 6701D6B65083805FD7128F16EC40862FFA8DA8A630749C09FED898B612D625A904CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05360E38, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.332288736.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5360000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd5a7761d38a96d7e406ed0824eea8fb7d550cf49ff52ddcf0bacdd7edffbe3
Instruction ID: b696b92eeb222c69990023b9aa48d23730843cea0ec8c589f150a7b7aaf818bb
Opcode Fuzzy Hash: 1cd5a7761d38a96d7e406ed0824eea8fb7d550cf49ff52ddcf0bacdd7edffbe3
Instruction Fuzzy Hash: 4E0113B0C062488FCB08DFB4D8597AEBBB1BF05305F1094AEC41167281C7788A84CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05360E48, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.332288736.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5360000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6075042f9c3b7c75ba6c0b15b04d9db78928959769cc026d0bb0327a0f05134
Instruction ID: eac0cbf56a2de6e2b655758ffba4be18cdf691ad8b2bd0324854d4bece56e663
Opcode Fuzzy Hash: d6075042f9c3b7c75ba6c0b15b04d9db78928959769cc026d0bb0327a0f05134
Instruction Fuzzy Hash: AE010C74C022088FCB08EFA9C4497AEBBB1BB00301F2099AEC41163280C7789A84CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05360BBF, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.332288736.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5360000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e0390daa56ddfb8008aeab7ddff2b868286f2c61143f95ee83888250d4e11e
Instruction ID: 6fa47680e505ac8e2e0d4de3926cb25bbe612da8cf3a502943fe65a363aa5408
Opcode Fuzzy Hash: 59e0390daa56ddfb8008aeab7ddff2b868286f2c61143f95ee83888250d4e11e
Instruction Fuzzy Hash: 360119B4D09209DBCB04DFA9C9496AEFBF1EF44300F2095AAC405A3354DB745A00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E2081E, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.331173786.0000000002E20000.00000040.00000040.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5098aabdd1dc1e95d898857055399eb2f4199fa1cab8e4fc2848c2de8cc07258
Instruction ID: cf56fca6cd8b0bdd7c447f4cf49deecc9a89e82bee811a084d4a7ee27b5461a7
Opcode Fuzzy Hash: 5098aabdd1dc1e95d898857055399eb2f4199fa1cab8e4fc2848c2de8cc07258
Instruction Fuzzy Hash: E4F082B28052046FD240DF15EC41CA6F7ECDFC4921B14C52FFC088B301E276A9144AF2

Uniqueness

Uniqueness Score: -1.00%

Function 02E205BF, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.331173786.0000000002E20000.00000040.00000040.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a5f6cff14aa9bcb12d3c23dc9d8b00e63fceea11019aff6454b15385f9fcea
Instruction ID: 2da252d3bc6277356f83188f0afbfd56265a380dc756a0f0f67a72b45b6bd687
Opcode Fuzzy Hash: a5a5f6cff14aa9bcb12d3c23dc9d8b00e63fceea11019aff6454b15385f9fcea
Instruction Fuzzy Hash: BCF0E2716406409FC710CF1AE885555FFA0EB89770F18C0AFEC098B311D239A109CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.331173786.0000000002E20000.00000040.00000040.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e20000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585b91541108d0ee158baa9af9e03d6f0881d3839d069e4d15c29879c91d715e
Instruction ID: a152e46f58cdd67a7aad5d99d8dac5feb88fe494fc1960bc21e48de0f0365441
Opcode Fuzzy Hash: 585b91541108d0ee158baa9af9e03d6f0881d3839d069e4d15c29879c91d715e
Instruction Fuzzy Hash: ABE092766006048BD650CF0BEC81862F7D8EB88630B18C07FDC0D8B711E135B504CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 014A23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.330912897.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14a2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1331a61d7f08964582b287ff36f0b270a215d988ae42e4b8af3daa33dc6f674
Instruction ID: 2f14424419e70d519b09ee59c6076f40f474a5a33a69cd5c3aa551e59d25a1e5
Opcode Fuzzy Hash: a1331a61d7f08964582b287ff36f0b270a215d988ae42e4b8af3daa33dc6f674
Instruction Fuzzy Hash: AFD05B752156914FD3168A1CC164F553FA4AB51B04F4744FEE8008B773C364D581E100

Uniqueness

Uniqueness Score: -1.00%

Function 014A23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.330912897.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14a2000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141ad2d1bcac98dbed014390f0189a6e45a668e1cd09955941aba1dd86ed8052
Instruction ID: dff44694de2c03a3cc6ff52564664cc81cd7eee730fc4cf2d94eda0df7207521
Opcode Fuzzy Hash: 141ad2d1bcac98dbed014390f0189a6e45a668e1cd09955941aba1dd86ed8052
Instruction Fuzzy Hash: D4D05E342002818BDB15DB1DC594F5A3BD4AB52B00F0644E9AD00CB772C3B8D881D600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05360299, Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

u]-p^, xrefs: 05360345, 0536034A

Memory Dump Source

Source File: 00000007.00000002.332288736.0000000005360000.00000040.00000001.sdmp, Offset: 05360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5360000_unarchiver.jbxd

Similarity

API ID:
String ID: u]-p^
API String ID: 0-3566714672
Opcode ID: e2c094114150236a911ef54b5c01c3bafd7dd97042eabe4aa45f2fda8afff91c
Instruction ID: 657c9265c092ed6f3b38efff38652185feb52568e903ea9cb409248aebe29330
Opcode Fuzzy Hash: e2c094114150236a911ef54b5c01c3bafd7dd97042eabe4aa45f2fda8afff91c
Instruction Fuzzy Hash: 7191EC74E10244DFDB18CFA6E848A9DBBB3FB8D301F10C1A9D849A7254D7355996CF60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: A.exe PID: 5804 Parent PID: 5504 A.exeCOMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.2%
Total number of Nodes:	1372
Total number of Limit Nodes:	59

Executed Functions

Function 0040DD85, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040DDAD

Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7

NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
_wcsicmp.MSVCRT ref: 0040DEB2
_wcsicmp.MSVCRT ref: 0040DEC5
_wcsicmp.MSVCRT ref: 0040DED8
OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
memset.MSVCRT ref: 0040DF5F
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
_wcsicmp.MSVCRT ref: 0040DFB2
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2

Strings

taskhost.exe, xrefs: 0040DEBD
taskhostex.exe, xrefs: 0040DED0
dllhost.exe, xrefs: 0040DEA9

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 594330280-3398334509
Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00413D4C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142
processlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
memset.MSVCRT ref: 00413D7F
Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
memset.MSVCRT ref: 00413E07
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
??3@YAXPAX@Z.MSVCRT ref: 00413EC1
Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A

Strings

kernel32.dll, xrefs: 00413E37
QueryFullProcessImageNameW, xrefs: 00413E46

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 912665193-1740548384
Opcode ID: 05c61bdc91198e39abb6d6ee7ce09e8b8423f2cda011bdf5068888dae1005bc1
Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
Opcode Fuzzy Hash: 05c61bdc91198e39abb6d6ee7ce09e8b8423f2cda011bdf5068888dae1005bc1
Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B58D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
LockResource.KERNEL32(00000000), ref: 0040B5DD
memcpy.MSVCRT ref: 0040B60D

Strings

BIN, xrefs: 0040B5AB

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
String ID: BIN
API String ID: 1668488027-1015027815
Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED

Uniqueness

Uniqueness Score: -1.00%

Function 00418758, Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7

Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
??3@YAXPAX@Z.MSVCRT ref: 00418803

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
String ID:
API String ID: 2947809556-0
Opcode ID: e9fa8cdb0503d843af4e6d4979f9032e8967895c6ef67b6505ea85934ab3b907
Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
Opcode Fuzzy Hash: e9fa8cdb0503d843af4e6d4979f9032e8967895c6ef67b6505ea85934ab3b907
Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769

Uniqueness

Uniqueness Score: -1.00%

Function 00404423, Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(?,00000000), ref: 00404453
FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
String ID:
API String ID: 767404330-0
Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE51, Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755

Uniqueness

Uniqueness Score: -1.00%

Function 0044553B, Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004455C2
wcsrchr.MSVCRT ref: 004455DA
memset.MSVCRT ref: 0044570D
memset.MSVCRT ref: 00445725

Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C

Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2

Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A

memset.MSVCRT ref: 0044573D
memset.MSVCRT ref: 00445755
memset.MSVCRT ref: 004458CB
memset.MSVCRT ref: 004458E3
memset.MSVCRT ref: 0044596E
memset.MSVCRT ref: 00445A10
memset.MSVCRT ref: 00445A28
memset.MSVCRT ref: 00445AC6

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7

memset.MSVCRT ref: 00445B52
memset.MSVCRT ref: 00445B6A
memset.MSVCRT ref: 00445C9B
memset.MSVCRT ref: 00445CB3
_wcsicmp.MSVCRT ref: 00445D56
memset.MSVCRT ref: 00445B82

Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C

Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04

memset.MSVCRT ref: 00445986

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Strings

Apple Computer\Preferences\keychain.plist, xrefs: 00445CD0
*.*, xrefs: 00445ED0

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
String ID: *.*$Apple Computer\Preferences\keychain.plist
API String ID: 2151808875-3798722523
Opcode ID: 8320a57399db62c9384808c231969f658b87241fbcb6c2f23815a8bc87aa57e2
Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
Opcode Fuzzy Hash: 8320a57399db62c9384808c231969f658b87241fbcb6c2f23815a8bc87aa57e2
Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041276D, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514

SetErrorMode.KERNELBASE(00008001), ref: 00412799
GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9

Strings

/deleteregkey, xrefs: 00412833
, xrefs: 004127CD
/savelangfile, xrefs: 00412805

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 2744995895-28296030
Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6EF, Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040B71C

Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D

wcsrchr.MSVCRT ref: 0040B738
memset.MSVCRT ref: 0040B756
memset.MSVCRT ref: 0040B7F5
CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
memset.MSVCRT ref: 0040B851
memset.MSVCRT ref: 0040B8CA
memcmp.MSVCRT ref: 0040B9BF

Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
memset.MSVCRT ref: 0040BB53
memcpy.MSVCRT ref: 0040BB66
LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D

Strings

v10, xrefs: 0040B9B7
chp, xrefs: 0040B817

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateCryptDataDeleteFindLibraryLocalNotificationProcUnprotectmemcmpmemcpywcscpy
String ID: chp$v10
API String ID: 580435826-2783969131
Opcode ID: b642f203d15064d315541d918ad2526bb414326ad23a5a830d1949435d8ad222
Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
Opcode Fuzzy Hash: b642f203d15064d315541d918ad2526bb414326ad23a5a830d1949435d8ad222
Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E01E, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4

Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85

Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
CloseHandle.KERNEL32(?), ref: 0040E13E
CloseHandle.KERNEL32(00000000), ref: 0040E143
CloseHandle.KERNEL32(?), ref: 0040E148
CloseHandle.KERNEL32(?), ref: 0040E14D

Strings

bhv, xrefs: 0040E0DD

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateProcess$CurrentTempView$??2@ChangeDirectoryDuplicateFindInformationMappingNameNotificationOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
String ID: bhv
API String ID: 3399910952-2689659898
Opcode ID: 581cd955e5f2635261495d2059987c80485bc08b8db92cd2fad541764a57ada3
Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
Opcode Fuzzy Hash: 581cd955e5f2635261495d2059987c80485bc08b8db92cd2fad541764a57ada3
Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413F4F, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F

Strings

psapi.dll, xrefs: 00413F55
GetModuleInformation, xrefs: 00413F95
GetModuleBaseNameW, xrefs: 00413F65
GetModuleFileNameExW, xrefs: 00413F7D
EnumProcesses, xrefs: 00413F89
EnumProcessModules, xrefs: 00413F71

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2941347001-70141382
Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48

Uniqueness

Uniqueness Score: -1.00%

Function 004466F4, Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
__set_app_type.MSVCRT ref: 00446762
__p__fmode.MSVCRT ref: 00446777
__p__commode.MSVCRT ref: 00446785
__setusermatherr.MSVCRT ref: 004467B1
_initterm.MSVCRT ref: 004467C7
__wgetmainargs.KERNELBASE ref: 004467EA
_initterm.MSVCRT ref: 004467FD
GetStartupInfoW.KERNEL32(?), ref: 0044685A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
exit.KERNELBASE ref: 00446897
_cexit.MSVCRT ref: 0044689D

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C274, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040C298

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
wcschr.MSVCRT ref: 0040C324
wcschr.MSVCRT ref: 0040C344
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
GetLastError.KERNEL32 ref: 0040C373
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
FindCloseUrlCache.WININET(?), ref: 0040C3B0

Strings

visited:, xrefs: 0040C308

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
String ID: visited:
API String ID: 2470578098-1702587658
Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB98, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98

Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A

memset.MSVCRT ref: 0040BC75
memset.MSVCRT ref: 0040BC8C
WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
memcmp.MSVCRT ref: 0040BCD6
memcpy.MSVCRT ref: 0040BD2B
LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D

Strings

, xrefs: 0040BD19

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
String ID:
API String ID: 509814883-3916222277
Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0041837F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
GetLastError.KERNEL32 ref: 0041847E
??3@YAXPAX@Z.MSVCRT ref: 0041848B

Strings

|A, xrefs: 00418462

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: CreateFile$??3@ErrorLast
String ID: |A
API String ID: 1407640353-1717621600
Opcode ID: 71e54c5a76e1aa47306962d20987635381793afdf9523ab11eb51246902c22e1
Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
Opcode Fuzzy Hash: 71e54c5a76e1aa47306962d20987635381793afdf9523ab11eb51246902c22e1
Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96

Uniqueness

Uniqueness Score: -1.00%

Function 00412465, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0041249C
??2@YAPAXI@Z.MSVCRT ref: 004124D2
??2@YAPAXI@Z.MSVCRT ref: 00412510
GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
LoadIconW.USER32(00000000,00000065), ref: 0041258B
wcscpy.MSVCRT ref: 004125A0

Strings

r!A, xrefs: 00412477

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??2@$HandleIconLoadModulememsetwcscpy
String ID: r!A
API String ID: 2791114272-628097481
Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49

Uniqueness

Uniqueness Score: -1.00%

Function 0040C768, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6

Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B

Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373

Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB

_wcslwr.MSVCRT ref: 0040C817

Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF

wcslen.MSVCRT ref: 0040C82C

Strings

/, xrefs: 0040C838
/, xrefs: 0040C843
https://www.google.com/accounts/servicelogin, xrefs: 0040C7AA
https://login.yahoo.com/config/login, xrefs: 0040C7C4
http://www.facebook.com/, xrefs: 0040C7B7

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 62308376-4196376884
Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A804, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040A824
GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
wcscpy.MSVCRT ref: 0040A854
wcscat.MSVCRT ref: 0040A86A
LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

Strings

C:\Windows\system32, xrefs: 0040A82C, 0040A834, 0040A840, 0040A852

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID: C:\Windows\system32
API String ID: 669240632-2896066436
Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDB0, Relevance: 12.2, APIs: 8, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7

CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
wcslen.MSVCRT ref: 0040BE06
_wcsncoll.MSVCRT ref: 0040BE38
memset.MSVCRT ref: 0040BE91
memcpy.MSVCRT ref: 0040BEB2
_wcsnicmp.MSVCRT ref: 0040BEFC
wcschr.MSVCRT ref: 0040BF24
LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
String ID:
API String ID: 3191383707-0
Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69

Uniqueness

Uniqueness Score: -1.00%

Function 00403C9C, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403CBF
memset.MSVCRT ref: 00403CD4
memset.MSVCRT ref: 00403CE9
memset.MSVCRT ref: 00403CFE
memset.MSVCRT ref: 00403D13

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 00403DDA

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3

Strings

Waterfox, xrefs: 00403D73
Waterfox\Profiles, xrefs: 00403D40, 00403D5B

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Waterfox$Waterfox\Profiles
API String ID: 4039892925-11920434
Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00403E2D, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403E50
memset.MSVCRT ref: 00403E65
memset.MSVCRT ref: 00403E7A
memset.MSVCRT ref: 00403E8F
memset.MSVCRT ref: 00403EA4

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 00403F6B

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3

Strings

Mozilla\SeaMonkey, xrefs: 00403F04
Mozilla\SeaMonkey\Profiles, xrefs: 00403ED1, 00403EEC

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 4039892925-2068335096
Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A

Uniqueness

Uniqueness Score: -1.00%

Function 00403FBE, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403FE1
memset.MSVCRT ref: 00403FF6
memset.MSVCRT ref: 0040400B
memset.MSVCRT ref: 00404020
memset.MSVCRT ref: 00404035

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 004040FC

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3

Strings

Mozilla\Firefox\Profiles, xrefs: 00404062, 0040407D
Mozilla\Firefox, xrefs: 00404095

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 4039892925-3369679110
Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A

Uniqueness

Uniqueness Score: -1.00%

Function 00444432, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004444E3

Strings

NOCASE, xrefs: 004445A4
no such vfs: %s, xrefs: 0044452B
RTRIM, xrefs: 00444573
BINARY, xrefs: 0044454A, 0044454F, 0044455B, 00444567, 0044458C
main, xrefs: 00444613
temp, xrefs: 00444623

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A

Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA

memset.MSVCRT ref: 004033B7
memcpy.MSVCRT ref: 004033D0
wcscmp.MSVCRT ref: 004033FC
_wcsicmp.MSVCRT ref: 00403439

Strings

, xrefs: 004032DF
0.@, xrefs: 00403399

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
String ID: $0.@
API String ID: 3030842498-1896041820
Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B

Uniqueness

Uniqueness Score: -1.00%

Function 004449B9, Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID:
API String ID: 2941347001-0
Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C

Uniqueness

Uniqueness Score: -1.00%

Function 00403BED, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403C09
memset.MSVCRT ref: 00403C1E

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732

wcscat.MSVCRT ref: 00403C47

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

wcscat.MSVCRT ref: 00403C70

Strings

Mozilla\Profiles, xrefs: 00403C41
Mozilla\Firefox\Profiles, xrefs: 00403C6A

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 1534475566-1174173950
Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00414C2E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
memset.MSVCRT ref: 00414C87
RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 71295984-2036018995
Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041443E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00414458
_snwprintf.MSVCRT ref: 0041447D
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3

Strings

"%s", xrefs: 0041446C

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00413CA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2

Strings

kernel32.dll, xrefs: 00413CB0
GetProcessTimes, xrefs: 00413CBF

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1A5, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0041F202
memcmp.MSVCRT ref: 0041F22D
memcmp.MSVCRT ref: 0041F299

Strings

SQLite format 3, xrefs: 0041F220
@ , xrefs: 0041F293

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88

Uniqueness

Uniqueness Score: -1.00%

Function 004110DC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004110FD
qsort.MSVCRT ref: 004111A7

Strings

/nosort, xrefs: 0041115D
/sort, xrefs: 004110F8

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5ED, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E60F
memset.MSVCRT ref: 0040E629

Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Strings

Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 2887208581-2114579845
Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998

Uniqueness

Uniqueness Score: -1.00%

Function 004148B6, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
SizeofResource.KERNEL32(?,00000000), ref: 004148D4
LoadResource.KERNEL32(?,00000000), ref: 004148E4
LockResource.KERNEL32(00000000), ref: 004148EF

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688

Uniqueness

Uniqueness Score: -1.00%

Function 0044DEF7, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0044DF01
??3@YAXPAX@Z.MSVCRT ref: 0044DF11
??3@YAXPAX@Z.MSVCRT ref: 0044DF21
??3@YAXPAX@Z.MSVCRT ref: 0044DF31

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D

Uniqueness

Uniqueness Score: -1.00%

Function 0043A9F6, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043AA3D
memset.MSVCRT ref: 0043AE4A

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004175B7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 004175D0
FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9

Strings

}A, xrefs: 004175B9

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotificationSleep
String ID: }A
API String ID: 1821831730-2138825249
Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524

Uniqueness

Uniqueness Score: -1.00%

Function 0040D092, Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
??2@YAPAXI@Z.MSVCRT ref: 0040D108
??2@YAPAXI@Z.MSVCRT ref: 0040D126

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00444B06, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D

memcmp.MSVCRT ref: 00444BA5

Strings

$, xrefs: 00444B80
8, xrefs: 00444B72

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AddressProc$memcmp
String ID: $$8
API String ID: 2808797137-435121686
Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69

Uniqueness

Uniqueness Score: -1.00%

Function 00430737, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

duplicate column name: %s, xrefs: 004307FE
too many columns on %s, xrefs: 00430763

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID:
String ID: duplicate column name: %s$too many columns on %s
API String ID: 0-1445880494
Opcode ID: 2926fa06368f5232b18cfbe9a067055150ad8579ce0375914d7c8593e780dd9c
Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
Opcode Fuzzy Hash: 2926fa06368f5232b18cfbe9a067055150ad8579ce0375914d7c8593e780dd9c
Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4B2, Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
Part of subcall function 0040E01E: CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
Part of subcall function 0040E01E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E

CloseHandle.KERNEL32(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582

Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC

DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA

Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: File$Handle$Close$ProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
String ID:
API String ID: 2722907921-0
Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403A16, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70

memset.MSVCRT ref: 00403A55

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F

Strings

places.sqlite, xrefs: 00403A9E
history.dat, xrefs: 00403A5E

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
String ID: history.dat$places.sqlite
API String ID: 3093078384-467022611
Opcode ID: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
Opcode Fuzzy Hash: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2F5, Relevance: 4.6, APIs: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1D1: wcslen.MSVCRT ref: 0040B1DE
Part of subcall function 0040B1D1: ??3@YAXPAX@Z.MSVCRT ref: 0040B201
Part of subcall function 0040B1D1: ??3@YAXPAX@Z.MSVCRT ref: 0040B224
Part of subcall function 0040B1D1: memcpy.MSVCRT ref: 0040B248

memset.MSVCRT ref: 0040B32F
WideCharToMultiByte.KERNEL32(00000000,00000000,0040B432,000000FF,?,00000FFF,00000000,00000000,0040B432,00000000,-00000002,0040B626,00000000), ref: 0040B348

Part of subcall function 0040B0D1: strlen.MSVCRT ref: 0040B0D8
Part of subcall function 0040B0D1: ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
Part of subcall function 0040B0D1: ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
Part of subcall function 0040B0D1: memcpy.MSVCRT ref: 0040B159

??3@YAXPAX@Z.MSVCRT ref: 0040B36F

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@$memcpy$ByteCharMultiWidememsetstrlenwcslen
String ID:
API String ID: 1562205978-0
Opcode ID: 134a2a20f227110521b821ab2c1100a9462315ed21c6d5f86104d5526ebf48b7
Instruction ID: b857a4007f161fa5246434627f102fbdc01d58e76d807d6b79cc7eff8a49146b
Opcode Fuzzy Hash: 134a2a20f227110521b821ab2c1100a9462315ed21c6d5f86104d5526ebf48b7
Instruction Fuzzy Hash: 18212771900218BFDB009B98EC44C9A37ACEB46329F10823BFC45A7292D7B8DD549B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004175ED, Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
GetLastError.KERNEL32 ref: 00417627

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3C1, Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B3E7

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: aa4d0402c51c5d0a187992cb920f5d60b2687b534395d06311f142e6e57fc3d2
Instruction ID: ab827e58211017b50a374ecff23b92c7d33c5c2594aefa3e9ea54b4f7b6580b8
Opcode Fuzzy Hash: aa4d0402c51c5d0a187992cb920f5d60b2687b534395d06311f142e6e57fc3d2
Instruction Fuzzy Hash: 6A0167B3904308AAFB24D791DD8AB9A73ACDB14714F5100BBA704E21C3EBBC9B45865D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1D3, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

*.*, xrefs: 0040C1FE
index.dat, xrefs: 0040C237

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: *.*$index.dat
API String ID: 1974802433-2863569691
Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004099F4, Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00409A10
memcpy.MSVCRT ref: 00409A28
??3@YAXPAX@Z.MSVCRT ref: 00409A31

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@mallocmemcpy
String ID:
API String ID: 3831604043-0
Opcode ID: a85243c3274abcf257bc8a1d0c36c9fb31ec9b9764bc30e3ac6d524e65cdc455
Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
Opcode Fuzzy Hash: a85243c3274abcf257bc8a1d0c36c9fb31ec9b9764bc30e3ac6d524e65cdc455
Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00417570, Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
GetLastError.KERNEL32 ref: 004175A2
GetLastError.KERNEL32 ref: 004175A8

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00437371, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

d, xrefs: 0043752F

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
Opcode Fuzzy Hash: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041EED2, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041EF80

Strings

BINARY, xrefs: 0041EEDE

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset
String ID: BINARY
API String ID: 2221118986-907554435
Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004104FB, Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0

GetStdHandle.KERNEL32(000000F5), ref: 00410530
FindCloseChangeNotification.KERNELBASE(?), ref: 00410654

Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
String ID:
API String ID: 1161345128-0
Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59

Uniqueness

Uniqueness Score: -1.00%

Function 0041268E, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004126DB

Strings

/stext, xrefs: 004126D6

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC26, Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88

FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98

Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
String ID:
API String ID: 159017214-0
Opcode ID: 0747cffe0d4318b549639fe65d261b33fbf2e1cc55d84b58f56d9b154b80ed33
Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
Opcode Fuzzy Hash: 0747cffe0d4318b549639fe65d261b33fbf2e1cc55d84b58f56d9b154b80ed33
Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00418981, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041898C
GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

Uniqueness

Uniqueness Score: -1.00%

Function 004152C7, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004152D6

Strings

failed to allocate %u bytes of memory, xrefs: 004152F0

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1AB, Relevance: 3.0, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
??3@YAXPAX@Z.MSVCRT ref: 0040B1B6

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 4a6bf56a3c8e18f25b9487746213253c86c510b1b99403974ad2cc9a69351a87
Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
Opcode Fuzzy Hash: 4a6bf56a3c8e18f25b9487746213253c86c510b1b99403974ad2cc9a69351a87
Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0B5, Relevance: 3.0, APIs: 2, Instructions: 7COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B0BA
??3@YAXPAX@Z.MSVCRT ref: 0040B0C5

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 536c2047bffc8dd9b34700d623eb618271f55ea3451f57cc7c37cab4f8277461
Instruction ID: 93a37c1a4f050773dc1a5674df64ec50811fc8a39a1cc3e4a9db11821b00e242
Opcode Fuzzy Hash: 536c2047bffc8dd9b34700d623eb618271f55ea3451f57cc7c37cab4f8277461
Instruction Fuzzy Hash: A0B012310281004DEB057BA1B8061142302C64332E3B3413FE000500A3DE5D6034140F

Uniqueness

Uniqueness Score: -1.00%

Function 0041BC3B, Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041BDDF
memcmp.MSVCRT ref: 0041BDF1

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00418C63, Relevance: 2.6, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00418D55
memset.MSVCRT ref: 00418D6C

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98

Uniqueness

Uniqueness Score: -1.00%

Function 00403988, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55

Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 2154303073-0
Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004135F7, Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(?,00000000), ref: 0041362A

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
String ID:
API String ID: 3150196962-0
Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC

Uniqueness

Uniqueness Score: -1.00%

Function 00414561, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588

Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59

Uniqueness

Uniqueness Score: -1.00%

Function 00444A54, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54

Uniqueness

Uniqueness Score: -1.00%

Function 00413F27, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AddressProc$FileModuleName
String ID:
API String ID: 3859505661-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305

Uniqueness

Uniqueness Score: -1.00%

Function 00413D29, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2EF, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040A30E, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA04, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040AA0B

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 0d059ad067989d1f17bbe0e8521da585270b5c486309d81f35087ee814750848
Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
Opcode Fuzzy Hash: 0d059ad067989d1f17bbe0e8521da585270b5c486309d81f35087ee814750848
Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18

Uniqueness

Uniqueness Score: -1.00%

Function 0040B633, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B63A

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 708d35572adfbd8c0afef1fefac48864b5998db401338d2add0cc9d49b5fd8aa
Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
Opcode Fuzzy Hash: 708d35572adfbd8c0afef1fefac48864b5998db401338d2add0cc9d49b5fd8aa
Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D

Uniqueness

Uniqueness Score: -1.00%

Function 004096C3, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524

Uniqueness

Uniqueness Score: -1.00%

Function 004096DC, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524

Uniqueness

Uniqueness Score: -1.00%

Function 0040B04B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B052

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518

Uniqueness

Uniqueness Score: -1.00%

Function 0041493C, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A

Uniqueness

Uniqueness Score: -1.00%

Function 004135E0, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28

Uniqueness

Uniqueness Score: -1.00%

Function 0044DEA5, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEBE, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04

Uniqueness

Uniqueness Score: -1.00%

Function 00414592, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17

Uniqueness

Uniqueness Score: -1.00%

Function 00409B98, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00

Uniqueness

Uniqueness Score: -1.00%

Function 00415308, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0041530C

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: f87c29ce762407ddd0adaed4fac3176b7b3a7b6aeb3172bf8294812ce0be7fe2
Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
Opcode Fuzzy Hash: f87c29ce762407ddd0adaed4fac3176b7b3a7b6aeb3172bf8294812ce0be7fe2
Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE52, Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00445403, Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00445426

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
String ID:
API String ID: 1828521557-0
Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFCF, Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052

??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004044A4, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
FreeLibrary.KERNEL32(00000000), ref: 004044E9
7078DB20.COMCTL32 ref: 004044F7
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514

Strings

Error, xrefs: 00404509
Error: Cannot load the common control classes., xrefs: 0040450E
comctl32.dll, xrefs: 004044AC
InitCommonControlsEx, xrefs: 004044CF

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Library$7078AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2661263322-317687271
Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D

Uniqueness

Uniqueness Score: -1.00%

Function 004182CE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004182D7

Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
LocalFree.KERNEL32(?), ref: 00418342
??3@YAXPAX@Z.MSVCRT ref: 00418370

Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74B05970,?,0041755F,?), ref: 00417452
Part of subcall function 00417434: malloc.MSVCRT ref: 00417459

Strings

OsError 0x%x (%u), xrefs: 00418354

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
String ID: OsError 0x%x (%u)
API String ID: 403622227-2664311388
Opcode ID: d5c6fe0526594b2b514a1ddbfaf48a72c8b645ad5f50ee8d851b871b7e219225
Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
Opcode Fuzzy Hash: d5c6fe0526594b2b514a1ddbfaf48a72c8b645ad5f50ee8d851b871b7e219225
Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041739B, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 004173BE

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A

Uniqueness

Uniqueness Score: -1.00%

Function 00402279, Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004022A6
_wcsicmp.MSVCRT ref: 004022D7
_wcsicmp.MSVCRT ref: 00402305
_wcsicmp.MSVCRT ref: 00402333

Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B

memset.MSVCRT ref: 0040265F
memcpy.MSVCRT ref: 0040269B

Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498

memcpy.MSVCRT ref: 004026FF
LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775

Strings

=, xrefs: 00402527
y, xrefs: 00402492
com.apple.Safari, xrefs: 00402664
Path, xrefs: 004022CC
b, xrefs: 0040238A
>, xrefs: 00402380
&, xrefs: 004025E7
t, xrefs: 00402647
u, xrefs: 0040242F
~, xrefs: 0040258F
w, xrefs: 004024E6
#, xrefs: 004025EF
z, xrefs: 0040256F
server, xrefs: 00402290
X, xrefs: 0040262F
>, xrefs: 00402371
S, xrefs: 004024E1
a, xrefs: 004024F5
Data, xrefs: 00402328
$, xrefs: 004025B7
0, xrefs: 00402451
}, xrefs: 0040237B
), xrefs: 004025C7
u, xrefs: 0040247E
\, xrefs: 00402517
y, xrefs: 004023CB
^, xrefs: 00402627
@, xrefs: 0040253F
n, xrefs: 004025A7
K, xrefs: 00402402
q, xrefs: 004024C4
t, xrefs: 0040261F
H, xrefs: 0040236C
{, xrefs: 004023EE
t, xrefs: 00402537
A, xrefs: 004023DF
L, xrefs: 0040260F
K, xrefs: 00402547
', xrefs: 0040242A
I, xrefs: 0040243E
Account, xrefs: 004022FA
!, xrefs: 0040252F
F, xrefs: 00402407
n, xrefs: 0040255F
O, xrefs: 004023D5
h, xrefs: 004024CE
`, xrefs: 004024BA
H, xrefs: 00402376
/, xrefs: 004024EB
com.apple.WebKit2WebProcess, xrefs: 0040268C
2, xrefs: 00402597
8, xrefs: 004024B5
&, xrefs: 00402399
g, xrefs: 004023A3

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 2929817778-1134094380
Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767

Uniqueness

Uniqueness Score: -1.00%

Function 00414002, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0041402F
GetDlgItem.USER32(?,000003E8), ref: 0041403B
GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
GetWindowLongW.USER32(?,000000F0), ref: 00414056
GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
GetWindowLongW.USER32(?,000000EC), ref: 0041406B
GetWindowRect.USER32(00000000,?), ref: 0041407D
GetWindowRect.USER32(?,?), ref: 00414088
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
GetDC.USER32 ref: 004140E3
wcslen.MSVCRT ref: 00414123
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
ReleaseDC.USER32(?,?), ref: 00414181
_snwprintf.MSVCRT ref: 00414244
SetWindowTextW.USER32(?,?), ref: 00414258
SetWindowTextW.USER32(?,00000000), ref: 00414276
GetDlgItem.USER32(?,00000001), ref: 004142AC
GetWindowRect.USER32(00000000,?), ref: 004142BC
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
GetClientRect.USER32(?,?), ref: 004142E1
GetWindowRect.USER32(?,?), ref: 004142EB
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
GetClientRect.USER32(?,?), ref: 0041433B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373

Strings

%s:, xrefs: 00414239
STATIC, xrefs: 004141E3
EDIT, xrefs: 00414219

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16

Uniqueness

Uniqueness Score: -1.00%

Function 004131DC, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 00413221
GetDlgItem.USER32(?,000003EA), ref: 00413239
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
memset.MSVCRT ref: 00413292
memset.MSVCRT ref: 004132B4
memset.MSVCRT ref: 004132CD
memset.MSVCRT ref: 004132E1
memset.MSVCRT ref: 004132FB
memset.MSVCRT ref: 00413310
GetCurrentProcess.KERNEL32 ref: 00413318
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
memset.MSVCRT ref: 004133C0
GetCurrentProcessId.KERNEL32 ref: 004133CE
memcpy.MSVCRT ref: 004133FC
wcscpy.MSVCRT ref: 0041341F
_snwprintf.MSVCRT ref: 0041348E
SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
GetDlgItem.USER32(?,000003EA), ref: 004134B0
SetFocus.USER32(00000000), ref: 004134B7

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
{Unknown}, xrefs: 004132A6

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69

Uniqueness

Uniqueness Score: -1.00%

Function 00401198, Relevance: 39.2, APIs: 26, Instructions: 185COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 004011F0
ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
GetDlgItem.USER32(?,000003EE), ref: 00401238
ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
GetDlgItem.USER32(?,000003EC), ref: 00401273
ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
LoadCursorW.USER32(00000000,00000067), ref: 00401297
SetCursor.USER32(00000000,?,?), ref: 0040129E
GetDlgItem.USER32(?,000003EE), ref: 004012BF
ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
GetDlgItem.USER32(?,000003EC), ref: 004012E6
SetBkMode.GDI32(?,00000001), ref: 004012F2
SetTextColor.GDI32(?,00C00000), ref: 00401300
GetSysColorBrush.USER32(0000000F), ref: 00401308
GetDlgItem.USER32(?,000003EE), ref: 00401329
EndDialog.USER32(?,?), ref: 0040135E
DeleteObject.GDI32(?), ref: 0040136A
GetDlgItem.USER32(?,000003ED), ref: 0040138F
ShowWindow.USER32(00000000), ref: 00401398
GetDlgItem.USER32(?,000003EE), ref: 004013A4
ShowWindow.USER32(00000000), ref: 004013A7
SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
SetWindowTextW.USER32(?,00000000), ref: 004013CA
SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID:
API String ID: 829165378-0
Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040414F, Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00404172

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

wcscpy.MSVCRT ref: 004041D6
wcscpy.MSVCRT ref: 004041E7
memset.MSVCRT ref: 00404200
memset.MSVCRT ref: 00404215
_snwprintf.MSVCRT ref: 0040422F
wcscpy.MSVCRT ref: 00404242
memset.MSVCRT ref: 0040426E
memset.MSVCRT ref: 004042CD
memset.MSVCRT ref: 004042E2
_snwprintf.MSVCRT ref: 004042FE
wcscpy.MSVCRT ref: 00404311

Strings

Path, xrefs: 00404326
profiles.ini, xrefs: 0040417D
General, xrefs: 004041E1
IsRelative, xrefs: 00404341
EA, xrefs: 004041B8
Profile%d, xrefs: 0040421B, 004042F0
AE, xrefs: 0040432B, 0040433B, 00404346

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
API String ID: 2454223109-1580313836
Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00411346, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F

SetMenu.USER32(?,00000000), ref: 00411453
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
GetModuleHandleW.KERNEL32(00000000), ref: 00411495
LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
memcpy.MSVCRT ref: 004115C8
ShowWindow.USER32(?,?), ref: 004115FE
GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7

Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3

Strings

xE, xrefs: 00411622
/nosaveload, xrefs: 00411585
commdlg_FindReplace, xrefs: 00411675
report.html, xrefs: 0041164A
SysListView32, xrefs: 004114FA

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
API String ID: 4054529287-3175352466
Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041352F, Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7

Strings

NtResumeProcess, xrefs: 004135C7
NtLoadDriver, xrefs: 0041355B
NtUnloadDriver, xrefs: 0041356D
ntdll.dll, xrefs: 0041353D
NtQueryObject, xrefs: 004135A3
NtQuerySystemInformation, xrefs: 0041354E
NtSuspendProcess, xrefs: 004135B5
NtOpenSymbolicLinkObject, xrefs: 0041357F
NtQuerySymbolicLinkObject, xrefs: 00413591

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 667068680-2887671607
Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C

Uniqueness

Uniqueness Score: -1.00%

Function 0041019A, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004101C0
memset.MSVCRT ref: 004101D5
memset.MSVCRT ref: 004101EA
_snwprintf.MSVCRT ref: 00410219
_snwprintf.MSVCRT ref: 00410248
wcscpy.MSVCRT ref: 00410259
_snwprintf.MSVCRT ref: 00410279
memset.MSVCRT ref: 004102B8
_snwprintf.MSVCRT ref: 004102D9
_snwprintf.MSVCRT ref: 00410313

Part of subcall function 00414E4E: _snwprintf.MSVCRT ref: 00414E72

Strings

</font>, xrefs: 00410253
width="%s", xrefs: 004102C8
<th%s>%s%s%s, xrefs: 00410302
<table border="1" cellpadding="5"><tr%s>, xrefs: 00410268
<font color="%s">, xrefs: 00410237
bgcolor="%s", xrefs: 00410208

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2AB, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1

Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B

??3@YAXPAX@Z.MSVCRT ref: 0040E49A

Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69

memset.MSVCRT ref: 0040E380

Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B

wcschr.MSVCRT ref: 0040E3B8
memcpy.MSVCRT ref: 0040E3EC
memcpy.MSVCRT ref: 0040E407
memcpy.MSVCRT ref: 0040E422
memcpy.MSVCRT ref: 0040E43D

Strings

AccessedTime, xrefs: 0040E343
EntryID, xrefs: 0040E36A
AccessCount, xrefs: 0040E31C
CreationTime, xrefs: 0040E329
, xrefs: 0040E2DD
ExpiryTime, xrefs: 0040E336
Url, xrefs: 0040E35D
ModifiedTime, xrefs: 0040E350

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
API String ID: 3073804840-2252543386
Opcode ID: 096520a674a6bab575df5dbc744d04c4fa5616f7e231fb41ab5d790b95b66fc2
Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
Opcode Fuzzy Hash: 096520a674a6bab575df5dbc744d04c4fa5616f7e231fb41ab5d790b95b66fc2
Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004091B8, Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004091E2

Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF

memcpy.MSVCRT ref: 004092C9
memcmp.MSVCRT ref: 004092D9
memcpy.MSVCRT ref: 0040930C
memcpy.MSVCRT ref: 00409325
memcmp.MSVCRT ref: 0040933B
memcpy.MSVCRT ref: 00409357
memcpy.MSVCRT ref: 00409370
memcmp.MSVCRT ref: 00409411
memcmp.MSVCRT ref: 00409429
memcpy.MSVCRT ref: 00409462
memcpy.MSVCRT ref: 0040947E
memcpy.MSVCRT ref: 0040949A
memcmp.MSVCRT ref: 004094AC
memcpy.MSVCRT ref: 004094D0
memcpy.MSVCRT ref: 004094E8

Strings

, xrefs: 0040929F

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memcpy$memcmp$ByteCharMultiWidememset
String ID:
API String ID: 3715365532-3916222277
Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00408560, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
??2@YAPAXI@Z.MSVCRT ref: 0040859D

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

memset.MSVCRT ref: 004085CF
memset.MSVCRT ref: 004085F1
memset.MSVCRT ref: 00408606
strcmp.MSVCRT ref: 00408645
_mbscpy.MSVCRT ref: 004086DB
_mbscpy.MSVCRT ref: 004086FA
memset.MSVCRT ref: 0040870E
strcmp.MSVCRT ref: 0040876B
??3@YAXPAX@Z.MSVCRT ref: 0040879D
CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6

Strings

---, xrefs: 00408765

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
String ID: ---
API String ID: 3437578500-2854292027
Opcode ID: d919f4b4b9c80681d9d452a18daf2ce47f670527832d52779cca48c80910e95f
Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
Opcode Fuzzy Hash: d919f4b4b9c80681d9d452a18daf2ce47f670527832d52779cca48c80910e95f
Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004125F8, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004125FE
_wcsicmp.MSVCRT ref: 00412613

Strings

/stab, xrefs: 00412638
/sverhtml, xrefs: 0041260E
/skeepass, xrefs: 00412677
/scomma, xrefs: 00412662
/shtml, xrefs: 004125F9
/stabular, xrefs: 0041264D
/sxml, xrefs: 00412623

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2081463915-1959339147
Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E

Uniqueness

Uniqueness Score: -1.00%

Function 00412172, Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004121FF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
ReleaseDC.USER32(00000000,00000000), ref: 0041221F
SetBkMode.GDI32(?,00000001), ref: 00412232
SetTextColor.GDI32(?,00FF0000), ref: 00412240
SelectObject.GDI32(?,?), ref: 00412251
DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
SelectObject.GDI32(00000014,00000005), ref: 00412291

Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F

GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
LoadCursorW.USER32(00000000,00000067), ref: 004122B5
SetCursor.USER32(00000000), ref: 004122BC
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
memcpy.MSVCRT ref: 0041234D

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
String ID:
API String ID: 1700100422-0
Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004111C1, Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004111E0
GetWindowRect.USER32(?,?), ref: 004111F6
GetWindowRect.USER32(?,?), ref: 0041120C
GetDlgItem.USER32(00000000,0000040D), ref: 00411246
GetWindowRect.USER32(00000000), ref: 0041124D
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
BeginDeferWindowPos.USER32(00000004), ref: 00411281
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
EndDeferWindowPos.USER32(?), ref: 0041130B

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClientItemPoints
String ID:
API String ID: 552707033-0
Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040C084, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4

Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A

GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4

Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024

memcpy.MSVCRT ref: 0040C11B
strchr.MSVCRT ref: 0040C140
strchr.MSVCRT ref: 0040C151
_strlwr.MSVCRT ref: 0040C15F
memset.MSVCRT ref: 0040C17A
CloseHandle.KERNEL32(00000000), ref: 0040C1C7

Strings

h, xrefs: 0040C12C
4, xrefs: 0040C0C8

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004060A4, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
KillTimer.USER32(?,00000041), ref: 004060D7
KillTimer.USER32(?,00000041), ref: 004060E8
GetTickCount.KERNEL32 ref: 0040610B
GetParent.USER32(?), ref: 00406136
SendMessageW.USER32(00000000), ref: 0040613D
BeginDeferWindowPos.USER32(00000004), ref: 0040614B
EndDeferWindowPos.USER32(00000000), ref: 0040619B
InvalidateRect.USER32(?,?,00000001), ref: 004061A7

Strings

A, xrefs: 004060F3

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2AB, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040D2C1
memset.MSVCRT ref: 0040D2E5
GetMenuItemInfoW.USER32 ref: 0040D320
memset.MSVCRT ref: 0040D34F
wcschr.MSVCRT ref: 0040D35B
wcscat.MSVCRT ref: 0040D3B6
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040D3D2

Strings

0, xrefs: 0040D300
6, xrefs: 0040D30B

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004082C7, Relevance: 15.2, APIs: 10, Instructions: 229COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004082EF

Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF

memset.MSVCRT ref: 00408362
memset.MSVCRT ref: 00408377

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$ByteCharMultiWide
String ID:
API String ID: 290601579-0
Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E175, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1

memset.MSVCRT ref: 0040E1BD

Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B

??3@YAXPAX@Z.MSVCRT ref: 0040E28B

Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69

Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20

_snwprintf.MSVCRT ref: 0040E257

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F

Strings

ContainerId, xrefs: 0040E1FC
Name, xrefs: 0040E209
, xrefs: 0040E1D8
Containers, xrefs: 0040E195
Container_%I64d, xrefs: 0040E246

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 3883404497-2982631422
Opcode ID: b6600637a152ed979c2f4ee96e02f38a490db88e96d2a506738c93b3ed228158
Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
Opcode Fuzzy Hash: b6600637a152ed979c2f4ee96e02f38a490db88e96d2a506738c93b3ed228158
Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A45A, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A47B
_snwprintf.MSVCRT ref: 0040A4AE
wcslen.MSVCRT ref: 0040A4BA
memcpy.MSVCRT ref: 0040A4D2
wcslen.MSVCRT ref: 0040A4E0
memcpy.MSVCRT ref: 0040A4F3

Strings

YV@, xrefs: 0040A480, 0040A4D7, 0040A4F8
%s (%s), xrefs: 0040A4A3

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)$YV@
API String ID: 3979103747-598926743
Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0042F5F4, Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042F6B8
memset.MSVCRT ref: 0042F6F3

Strings

too many attached databases - max %d, xrefs: 0042F64D
attached databases must use the same text encoding as main database, xrefs: 0042F76F
database %s is already in use, xrefs: 0042F6C5
out of memory, xrefs: 0042F865
unable to open database: %s, xrefs: 0042F84E
database is already attached, xrefs: 0042F721
cannot ATTACH database within transaction, xrefs: 0042F663

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
Opcode Fuzzy Hash: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041851E, Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
GetLastError.KERNEL32 ref: 0041855C
Sleep.KERNEL32(00000064), ref: 00418571
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
GetFileAttributesA.KERNEL32(00000000), ref: 00418581
GetLastError.KERNEL32 ref: 0041858E
Sleep.KERNEL32(00000064), ref: 004185A3
??3@YAXPAX@Z.MSVCRT ref: 004185AC

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: File$AttributesDeleteErrorLastSleep$??3@
String ID:
API String ID: 3467550082-0
Opcode ID: 56e4a7d77988e94444627618330347d92b7c0f18510b370ca22fa361cd1098af
Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
Opcode Fuzzy Hash: 56e4a7d77988e94444627618330347d92b7c0f18510b370ca22fa361cd1098af
Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D134, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
wcscpy.MSVCRT ref: 0040D1B5

Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647

wcslen.MSVCRT ref: 0040D1D3
GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
LoadStringW.USER32(00000000,?,00000FFF), ref: 0040D20C
memcpy.MSVCRT ref: 0040D24C

Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126

Strings

strings, xrefs: 0040D1AB

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040541F, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9

memset.MSVCRT ref: 00405455
memset.MSVCRT ref: 0040546C
memset.MSVCRT ref: 00405483
memcpy.MSVCRT ref: 00405498
memcpy.MSVCRT ref: 004054AD

Strings

6, xrefs: 004054C3
\, xrefs: 004054BB

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$memcpy$ErrorLast
String ID: 6$\
API String ID: 404372293-1284684873
Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A06C, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
wcscpy.MSVCRT ref: 0040A0D9
wcscat.MSVCRT ref: 0040A0E6
wcscat.MSVCRT ref: 0040A0F5
wcscpy.MSVCRT ref: 0040A107

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A

Uniqueness

Uniqueness Score: -1.00%

Function 00404363, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(?,00000000), ref: 00404398
GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
GetProcAddress.KERNEL32(?,00000000), ref: 004043E7

Strings

advapi32.dll, xrefs: 0040436D

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
String ID: advapi32.dll
API String ID: 2012295524-4050573280
Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00410030, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410055
memset.MSVCRT ref: 0041006A
_snwprintf.MSVCRT ref: 004100B7

Strings

<%s>, xrefs: 004100A6
<?xml version="1.0" ?>, xrefs: 0041007C
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A178, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A198
_snwprintf.MSVCRT ref: 0040A1BF
wcscat.MSVCRT ref: 0040A1D1
wcscat.MSVCRT ref: 0040A1EE
wcscat.MSVCRT ref: 0040A1FD

Strings

%2.2X, xrefs: 0040A1AE

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5D6, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040D5FB
wcscpy.MSVCRT ref: 0040D61E

Strings

strings, xrefs: 0040D609
dialog_%d, xrefs: 0040D5EF
general, xrefs: 0040D614
menu_%d, xrefs: 0040D5DF

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3C3, Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6

Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5

Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD

memset.MSVCRT ref: 0040C439
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
_wcsupr.MSVCRT ref: 0040C481

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F

memset.MSVCRT ref: 0040C4D0
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID:
API String ID: 1973883786-0
Opcode ID: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
Opcode Fuzzy Hash: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004185CA, Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004185FC
GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
??3@YAXPAX@Z.MSVCRT ref: 00418650

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@AttributesFilememset
String ID:
API String ID: 776155459-0
Opcode ID: 7a9323aad94e24d1be4080513bc7e6f3ed6a266ca59275ba5ce2a6d3a44692dd
Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
Opcode Fuzzy Hash: 7a9323aad94e24d1be4080513bc7e6f3ed6a266ca59275ba5ce2a6d3a44692dd
Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE

Uniqueness

Uniqueness Score: -1.00%

Function 004174F5, Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 004174FC
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
malloc.MSVCRT ref: 00417524
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
??3@YAXPAX@Z.MSVCRT ref: 00417544
??3@YAXPAX@Z.MSVCRT ref: 00417562

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@ByteCharMultiWide$ApisFilemalloc
String ID:
API String ID: 2308052813-0
Opcode ID: 726b282c5ce891bd13be6d49280dde48b664c9abca31c80fca4e8053420f6cc1
Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
Opcode Fuzzy Hash: 726b282c5ce891bd13be6d49280dde48b664c9abca31c80fca4e8053420f6cc1
Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD

Uniqueness

Uniqueness Score: -1.00%

Function 00418197, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
??3@YAXPAX@Z.MSVCRT ref: 0041822B

Strings

etilqs_, xrefs: 00418233
%s\etilqs_, xrefs: 00418282

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: PathTemp$??3@
String ID: %s\etilqs_$etilqs_
API String ID: 1589464350-1420421710
Opcode ID: e349944c00f8d49a0493748d5881d0d50fc5388be029f354eaf4c315693a2c66
Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
Opcode Fuzzy Hash: e349944c00f8d49a0493748d5881d0d50fc5388be029f354eaf4c315693a2c66
Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041748F, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00417497
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
malloc.MSVCRT ref: 004174BD
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
??3@YAXPAX@Z.MSVCRT ref: 004174E4

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$??3@ApisFilemalloc
String ID:
API String ID: 2903831945-0
Opcode ID: 57d3071dd2de7bbc8e1c08973dbf7d9290014f20ee3246d914a41c796bcca670
Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
Opcode Fuzzy Hash: 57d3071dd2de7bbc8e1c08973dbf7d9290014f20ee3246d914a41c796bcca670
Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D441, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040D453
GetWindowRect.USER32(?,?), ref: 0040D460
GetClientRect.USER32(00000000,?), ref: 0040D46B
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00445093, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
??2@YAPAXI@Z.MSVCRT ref: 004450BE
memset.MSVCRT ref: 004450CD

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

??3@YAXPAX@Z.MSVCRT ref: 004450F0

Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D

CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: fe89481ff80bd84e13eeeeff2698d9b4f5521197f7f9bdc644b3131c241efa7c
Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
Opcode Fuzzy Hash: fe89481ff80bd84e13eeeeff2698d9b4f5521197f7f9bdc644b3131c241efa7c
Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040F508, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040F561
memcpy.MSVCRT ref: 0040F573
memcpy.MSVCRT ref: 0040F5A6

Strings

g4@, xrefs: 0040F583, 0040F520

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memcpy$??3@
String ID: g4@
API String ID: 3314356048-2133833424
Opcode ID: 5ca90841aa7ac27d251937f4286d5c28b71121c56bc89bd43d9446bd4e5208fe
Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
Opcode Fuzzy Hash: 5ca90841aa7ac27d251937f4286d5c28b71121c56bc89bd43d9446bd4e5208fe
Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04

Uniqueness

Uniqueness Score: -1.00%

Function 004100D7, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004100FB
memset.MSVCRT ref: 00410112

Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE

_snwprintf.MSVCRT ref: 00410141

Strings

</%s>, xrefs: 00410130

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99

Uniqueness

Uniqueness Score: -1.00%

Function 0040D553, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D58D
SetWindowTextW.USER32(?,?), ref: 0040D5BD
EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD

Strings

caption, xrefs: 0040D5A2

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D

Uniqueness

Uniqueness Score: -1.00%

Function 00401137, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47

CreateFontIndirectW.GDI32(?), ref: 00401156
SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193

Strings

MS Sans Serif, xrefs: 00401142

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658

Uniqueness

Uniqueness Score: -1.00%

Function 004055C5, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040560C

Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,00000FFF), ref: 0040D20C
Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C

Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1

Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3

Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269

Strings

*.*, xrefs: 0040564D
wand.dat, xrefs: 00405632
dat, xrefs: 00405611

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
String ID: *.*$dat$wand.dat
API String ID: 2618321458-1828844352
Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89

Uniqueness

Uniqueness Score: -1.00%

Function 00412018, Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412057

Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
GetKeyState.USER32(00000010), ref: 0041210D

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID:
API String ID: 3550944819-0
Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1D1, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040B1DE
??3@YAXPAX@Z.MSVCRT ref: 0040B201

Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31

??3@YAXPAX@Z.MSVCRT ref: 0040B224
memcpy.MSVCRT ref: 0040B248

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@$memcpy$mallocwcslen
String ID:
API String ID: 3023356884-0
Opcode ID: 265e11fb3b93f6842ac601c308daddd794573f9d2d057257d07b24b118d7ea2e
Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
Opcode Fuzzy Hash: 265e11fb3b93f6842ac601c308daddd794573f9d2d057257d07b24b118d7ea2e
Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0D1, Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040B0D8
??3@YAXPAX@Z.MSVCRT ref: 0040B0FB

Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31

??3@YAXPAX@Z.MSVCRT ref: 0040B12C
memcpy.MSVCRT ref: 0040B159

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ??3@$memcpy$mallocstrlen
String ID:
API String ID: 1171893557-0
Opcode ID: d8b96de248f7d7037f9e30158b7ab90977b72bd63dac2b37973b5005ce90d3f5
Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
Opcode Fuzzy Hash: d8b96de248f7d7037f9e30158b7ab90977b72bd63dac2b37973b5005ce90d3f5
Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F

Uniqueness

Uniqueness Score: -1.00%

Function 004144BB, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004144E7

Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
memset.MSVCRT ref: 0041451A
GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00417434, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74B05970,?,0041755F,?), ref: 00417452
malloc.MSVCRT ref: 00417459
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74B05970,?,0041755F,?), ref: 00417478
??3@YAXPAX@Z.MSVCRT ref: 0041747F

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$??3@malloc
String ID:
API String ID: 4284152360-0
Opcode ID: 35e3d96e4e8f16596d993fb63affbe7c511ca80ecd689a4fb8a2c9eba3d4a450
Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
Opcode Fuzzy Hash: 35e3d96e4e8f16596d993fb63affbe7c511ca80ecd689a4fb8a2c9eba3d4a450
Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6

Uniqueness

Uniqueness Score: -1.00%

Function 004123E2, Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00412403
RegisterClassW.USER32(?), ref: 00412428
GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID:
API String ID: 2678498856-0
Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9

Uniqueness

Uniqueness Score: -1.00%

Function 004173E4, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
malloc.MSVCRT ref: 00417407
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
??3@YAXPAX@Z.MSVCRT ref: 00417425

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$??3@malloc
String ID:
API String ID: 4284152360-0
Opcode ID: a2ae8ec016122b8f6e3efdb0c2476e7f426d1c5b61e32c0c73e3f87cc7c6b3a1
Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
Opcode Fuzzy Hash: a2ae8ec016122b8f6e3efdb0c2476e7f426d1c5b61e32c0c73e3f87cc7c6b3a1
Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5

Uniqueness

Uniqueness Score: -1.00%

Function 0041437B, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7

SetBkMode.GDI32(?,00000001), ref: 004143A2
SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
SetTextColor.GDI32(?,00C00000), ref: 004143BE
GetStockObject.GDI32(00000000), ref: 004143C6

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759

Uniqueness

Uniqueness Score: -1.00%

Function 004134C6, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004134E0
memcpy.MSVCRT ref: 004134F2
GetModuleHandleW.KERNEL32(00000000), ref: 00413505
DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A353, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040A398
memcpy.MSVCRT ref: 0040A3A8

Strings

%2.2X , xrefs: 0040A38D

Memory Dump Source

Source File: 0000000F.00000002.288437970.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.288432662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.288486030.0000000000459000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288492117.000000000045D000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288497713.0000000000473000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288508614.000000000047C000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.288514715.000000000047E000.00000080.00020000.sdmp Download File
Associated: 0000000F.00000002.288519687.000000000047F000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_A.jbxd

Yara matches

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: B.exe PID: 2396 Parent PID: 4560 B.exeCOMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	834
Total number of Limit Nodes:	18

Executed Functions

Function 00408043, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004080A5
memset.MSVCRT ref: 004080B9
memset.MSVCRT ref: 004080D3
memset.MSVCRT ref: 004080E8
GetComputerNameA.KERNEL32(?,?), ref: 0040810A
GetUserNameA.ADVAPI32(?,?), ref: 0040811E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
strlen.MSVCRT ref: 0040815B
strlen.MSVCRT ref: 0040816A
memcpy.MSVCRT ref: 0040817C

Strings

H, xrefs: 0040809B
5, xrefs: 00408087
}, xrefs: 00408097
O, xrefs: 0040808F
b, xrefs: 00408073
}, xrefs: 0040808B
i, xrefs: 0040806B

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
String ID: 5$H$O$b$i$}$}
API String ID: 1832431107-3760989150
Opcode ID: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
Instruction ID: 839b780f30062d9b3c48c7c4bb1edbc251b0819f5d773de0f2740150403ea89f
Opcode Fuzzy Hash: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
Instruction Fuzzy Hash: D151D771C0025DAEDB11CBA8CC41BEEBBBCEF49314F0441EAE555AA182D3389B45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00407C87, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407C9D
FindNextFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407CBB
strlen.MSVCRT ref: 00407CEB
strlen.MSVCRT ref: 00407CF3

Strings

.8D, xrefs: 00407CD6

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FileFindstrlen$FirstNext
String ID: .8D
API String ID: 379999529-2881260426
Opcode ID: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
Instruction ID: eb3e2fb57be8f0c3c515892a2c877e6408fe4d7e79a86a2feb9bdace6263c32c
Opcode Fuzzy Hash: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
Instruction Fuzzy Hash: 2F11A072909201AFE3109B38D844AEB73DCEF45325F600A2FF05AE31C1EB38A9409729

Uniqueness

Uniqueness Score: -1.00%

Function 00401E60, Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401E82
strlen.MSVCRT ref: 00401E9B
strlen.MSVCRT ref: 00401EA9
strlen.MSVCRT ref: 00401EEF
strlen.MSVCRT ref: 00401EFD
memset.MSVCRT ref: 00401FA8
atoi.MSVCRT ref: 00401FD7
memset.MSVCRT ref: 00401FFA
sprintf.MSVCRT ref: 00402027

Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC

memset.MSVCRT ref: 0040207D
memset.MSVCRT ref: 00402092
strlen.MSVCRT ref: 00402098
strlen.MSVCRT ref: 004020A6
strlen.MSVCRT ref: 004020D9
strlen.MSVCRT ref: 004020E7
memset.MSVCRT ref: 0040200F

Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98

_mbscpy.MSVCRT ref: 0040216E
RegCloseKey.ADVAPI32(00000000), ref: 00402178
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 00402193

Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23

Strings

Install Directory, xrefs: 00402034
Thunderbird\Profiles, xrefs: 00401EE4, 00401F12
%programfiles%\Mozilla Thunderbird, xrefs: 0040218E
nss3.dll, xrefs: 004020D4, 004020FC
Software\Qualcomm\Eudora\CommandLine, xrefs: 00401F3B
current, xrefs: 00401F36
Mozilla\Profiles, xrefs: 00401E95, 00401E9A, 00401EC2
sqlite3.dll, xrefs: 00401FCB, 00402097, 004020BC
%s\Main, xrefs: 00402021
Software\Mozilla\Mozilla Thunderbird, xrefs: 00401F7D
Software\Classes\Software\Qualcomm\Eudora\CommandLine\current, xrefs: 00401F61

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
API String ID: 1846531875-4223776976
Opcode ID: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
Instruction ID: f32954dd371ee46ce489a3e15048bba03ea5248cf67d2e34683548b394895fb7
Opcode Fuzzy Hash: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
Instruction Fuzzy Hash: CA91D772804118AAEB21E7A1CC46FDF77BC9F54315F1400BBF608F2182EB789B858B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC66, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404A94: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
Part of subcall function 00404A94: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
Part of subcall function 00404A94: FreeLibrary.KERNEL32(00000000), ref: 00404AD9
Part of subcall function 00404A94: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04

??3@YAXPAX@Z.MSVCRT ref: 0040CEB2
DeleteObject.GDI32(?), ref: 0040CEC8

Strings

Error, xrefs: 0040CD53
/savelangfile, xrefs: 0040CCD8
/deleteregkey, xrefs: 0040CD06
Failed to load the executable file !, xrefs: 0040CD58
, xrefs: 0040CCA0

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
API String ID: 745651260-375988210
Opcode ID: 3ead8dc900f3123aa2ba669505af08cf64fa6c44fe5d0b8ef6125ed5f56e8d9c
Instruction ID: 177dcc30e6d6fe1e6f6b961e060c6fa8e32a60297cdf5fc43279ddd28c1616a1
Opcode Fuzzy Hash: 3ead8dc900f3123aa2ba669505af08cf64fa6c44fe5d0b8ef6125ed5f56e8d9c
Instruction Fuzzy Hash: 3661A075408341DBDB20AFA1DC88A9FB7F8BF85305F00093FF545A21A2DB789904CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403C03, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410166: FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172

LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C22
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C37
_mbscpy.MSVCRT ref: 00403E41

Strings

pstorec.dll, xrefs: 00403C1D
www.google.com:443/Please log in to your Google Account, xrefs: 00403C91
Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D5B
Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D28
PStoreCreateInstance, xrefs: 00403C31
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D2F
www.google.com/Please log in to your Google Account, xrefs: 00403C87
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CC3
www.google.com:443/Please log in to your Gmail account, xrefs: 00403C7D
Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403D91
www.google.com/Please log in to your Gmail account, xrefs: 00403C73
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CE8

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc_mbscpy
String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
API String ID: 1197458902-317895162
Opcode ID: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
Instruction ID: 8c3092e028ed30b7bcb0bf0438431f6e947b4810b401e401bf51def59c6c6aaf
Opcode Fuzzy Hash: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
Instruction Fuzzy Hash: 5C51A571600615B6E714AF71CD86FEAB76CAF00709F20053FF904B61C2DBBDBA5486A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F478, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4A9
RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4C3
RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E6C,?), ref: 0040F4EE
RegCloseKey.ADVAPI32(?,?,?,?,?,00403E6C,?), ref: 0040F59F

Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

memcpy.MSVCRT ref: 0040F55C
memcpy.MSVCRT ref: 0040F571

Part of subcall function 0040F177: RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1BF
Part of subcall function 0040F177: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
Part of subcall function 0040F177: RegCloseKey.ADVAPI32(?), ref: 0040F2D4

LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E6C,?), ref: 0040F595
RegCloseKey.KERNELBASE(?,?,?,?,?,00403E6C,?), ref: 0040F5A9

Strings

Software\Microsoft\IdentityCRL, xrefs: 0040F49F
Value, xrefs: 0040F4DD
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040F533, 0040F55A
Dynamic Salt, xrefs: 0040F4BA

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
API String ID: 2768085393-1693574875
Opcode ID: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
Instruction ID: 1e95abdde633212bff99c09de4f86b0a88236e9255236bdff490daf84838ddbe
Opcode Fuzzy Hash: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
Instruction Fuzzy Hash: 3F316FB2108305BFD710DF51DC80D9BB7ECEB89758F00093AFA84E2151D734D9198BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0044412E, Relevance: 18.1, APIs: 12, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,004454B0,00000070), ref: 00444143
__set_app_type.MSVCRT ref: 0044419C
__p__fmode.MSVCRT ref: 004441B1
__p__commode.MSVCRT ref: 004441BF
__setusermatherr.MSVCRT ref: 004441EB
_initterm.MSVCRT ref: 00444201
__getmainargs.MSVCRT ref: 00444224
_initterm.MSVCRT ref: 00444237
GetStartupInfoA.KERNEL32(?), ref: 00444276
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0044429A
exit.KERNELBASE ref: 004442AD
_cexit.MSVCRT ref: 004442B3

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 3662548030-0
Opcode ID: 4b9c7533954e26831581d23f4790c468d578c52e19518a271cf5a88ab33fa073
Instruction ID: fc298a0057bb7b157c7d5bb9a283569fada43ed9a32b195ba4478b44b5386df1
Opcode Fuzzy Hash: 4b9c7533954e26831581d23f4790c468d578c52e19518a271cf5a88ab33fa073
Instruction Fuzzy Hash: 9E419F74D00714DFEB209FA4D8897AE7BB4BB85715F20016BF4519B2A2D7B88C82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004437D7, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004437F8

Part of subcall function 0040732D: strlen.MSVCRT ref: 0040732F
Part of subcall function 0040732D: strlen.MSVCRT ref: 0040733A
Part of subcall function 0040732D: _mbscat.MSVCRT ref: 00407351

Part of subcall function 0041072B: memset.MSVCRT ref: 00410780
Part of subcall function 0041072B: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
Part of subcall function 0041072B: _mbscpy.MSVCRT ref: 004107F7

memset.MSVCRT ref: 00443866
memset.MSVCRT ref: 00443881

Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004438BA
strlen.MSVCRT ref: 004438C8
_strcmpi.MSVCRT ref: 004438EE

Strings

\Microsoft\Windows Mail, xrefs: 00443816
Software\Microsoft\Windows Live Mail, xrefs: 00443897
Store Root, xrefs: 00443892
\Microsoft\Windows Live Mail, xrefs: 0044383D

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
API String ID: 832325562-2578778931
Opcode ID: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
Instruction ID: 024f477f45f6e85a7703d2448ebd5bdc30730893e4efb81a5a52e1788c76f972
Opcode Fuzzy Hash: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
Instruction Fuzzy Hash: 723166B2508344AAF320FB99DC47FCB77DC9B88715F14441FF648D7182EA78964487AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDD5, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040EEDC
memset.MSVCRT ref: 0040EEF4

Part of subcall function 00407649: _mbsnbcat.MSVCRT ref: 00407669

RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040EF2A
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040EF57
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F02C

Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5

Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

memcpy.MSVCRT ref: 0040EFC7
LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040EFD9
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F048

Strings

, xrefs: 0040EF6F

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
String ID:
API String ID: 2012582556-3916222277
Opcode ID: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
Instruction ID: 747b8e804c7bbb21ad1dd8da88f93546a58f2d2a8080c646c51fe7008e5948b4
Opcode Fuzzy Hash: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
Instruction Fuzzy Hash: 83811E618087CB9ECB21DBBC8C445DDBF745F17234F0843A9E5B47A2E2D3245A46C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 004037BC, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004037DD
memset.MSVCRT ref: 004037F1

Part of subcall function 00443A35: memset.MSVCRT ref: 00443A57
Part of subcall function 00443A35: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3

Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE

strchr.MSVCRT ref: 00403860
_mbscpy.MSVCRT ref: 0040387D
strlen.MSVCRT ref: 00403889
sprintf.MSVCRT ref: 004038A9
_mbscpy.MSVCRT ref: 004038BF

Strings

%s@yahoo.com, xrefs: 004038A3

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
String ID: %s@yahoo.com
API String ID: 317221925-3288273942
Opcode ID: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
Instruction ID: 0355cd0d48ae578dfdfe4a6cbfa0b9af13deca75d91fcedaec1ea3361aee035e
Opcode Fuzzy Hash: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
Instruction Fuzzy Hash: D0215773D0412C5EEB21EA55DD41BDA77ACDF45308F0000EBB648F6081E6789F588F55

Uniqueness

Uniqueness Score: -1.00%

Function 004034D6, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004034F6
memset.MSVCRT ref: 0040350C

Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC

_mbscpy.MSVCRT ref: 00403547

Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B

_mbscat.MSVCRT ref: 0040355F

Strings

Software\Group Mail, xrefs: 00403522
fb.dat, xrefs: 00403559
InstallPath, xrefs: 0040351D

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscatmemset$Close_mbscpystrlen
String ID: InstallPath$Software\Group Mail$fb.dat
API String ID: 3071782539-966475738
Opcode ID: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
Instruction ID: 06cca456285af6d778403e239192c4ceeddf5a100a2cf1fec545289e95a886a3
Opcode Fuzzy Hash: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
Instruction Fuzzy Hash: 6901F07294412866EB20F2658C46FCB7A5C9B65705F0000B7BA49F20C3D9F86BD486A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9F7, Relevance: 9.1, APIs: 6, Instructions: 71
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040CA1E
??2@YAPAXI@Z.MSVCRT ref: 0040CA3C
DeleteObject.GDI32(?), ref: 0040CA7A
memset.MSVCRT ref: 0040CAB6
LoadIconA.USER32(00000065), ref: 0040CAC6
_mbscpy.MSVCRT ref: 0040CAE4

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??2@$DeleteIconLoadObject_mbscpymemset
String ID:
API String ID: 2054149589-0
Opcode ID: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
Instruction ID: 30546b7ffc0c4dd123ee27c8339ba671db17b069e44cca125f5e111fbf26b461
Opcode Fuzzy Hash: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
Instruction Fuzzy Hash: D22190B5900324DBDB10EF648CC97D97BA8AB44705F1445BBEE08EF296D7B849408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408344, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00408043: memset.MSVCRT ref: 004080A5
Part of subcall function 00408043: memset.MSVCRT ref: 004080B9
Part of subcall function 00408043: memset.MSVCRT ref: 004080D3
Part of subcall function 00408043: memset.MSVCRT ref: 004080E8
Part of subcall function 00408043: GetComputerNameA.KERNEL32(?,?), ref: 0040810A
Part of subcall function 00408043: GetUserNameA.ADVAPI32(?,?), ref: 0040811E
Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
Part of subcall function 00408043: strlen.MSVCRT ref: 0040815B
Part of subcall function 00408043: strlen.MSVCRT ref: 0040816A
Part of subcall function 00408043: memcpy.MSVCRT ref: 0040817C

Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424

memset.MSVCRT ref: 00408392

Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA

memset.MSVCRT ref: 004083E3
RegCloseKey.ADVAPI32(?,?,?), ref: 00408421
RegCloseKey.ADVAPI32(?), ref: 00408448

Strings

Software\Google\Google Talk\Accounts, xrefs: 00408363

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
String ID: Software\Google\Google Talk\Accounts
API String ID: 2959138223-1079885057
Opcode ID: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
Instruction ID: c6fde65740424625f6a31d6a262b66ef11e3a8462d59295f471bfbb40e3c967b
Opcode Fuzzy Hash: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
Instruction Fuzzy Hash: 5E2183B100824AAED610DF51DD42EABB7DCEF94344F00043EFA84911A2F675DD5D9BAB

Uniqueness

Uniqueness Score: -1.00%

Function 0040B783, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_mbsicmp.MSVCRT ref: 0040B7A4
qsort.MSVCRT ref: 0040B84D
SetCursor.USER32(/nosort,?,0040CD7F), ref: 0040B85B

Strings

/sort, xrefs: 0040B79F
/nosort, xrefs: 0040B801

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Cursor_mbsicmpqsort
String ID: /nosort$/sort
API String ID: 882979914-1578091866
Opcode ID: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
Instruction ID: 59731eef90b6f0024c6c95bb6f71fb6a55e53d5caa10bc7ba91746e522f0a21b
Opcode Fuzzy Hash: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
Instruction Fuzzy Hash: AF21C4B1704501EFD719AB75C880AA9F3A8FF88314F21013EF419A7292C738B8118B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041072B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041067E: LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
Part of subcall function 0041067E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1

memset.MSVCRT ref: 00410780
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
_mbscpy.MSVCRT ref: 004107F7

Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0041079B, 004107AB

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 889583718-2036018995
Opcode ID: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
Instruction ID: 55274f9b0d4144c5a5f6b064647028c43f69cf0431b3c32ec78c32e38a1c383e
Opcode Fuzzy Hash: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
Instruction Fuzzy Hash: 2811D071C00218FBEB24F6948C85EEF77AC9B15304F1400B7F95161192E6B99ED4CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004105DD, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 004105EA
SizeofResource.KERNEL32(?,00000000), ref: 004105FB
LoadResource.KERNEL32(?,00000000), ref: 0041060B
LockResource.KERNEL32(00000000), ref: 00410616

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
Instruction ID: 4a68303d5b5253afd20c9a06ef53f1b3f3171458fb19c91adc6236e38678b247
Opcode Fuzzy Hash: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
Instruction Fuzzy Hash: 88019636600315AB8F155F65DC4599F7FAAFFD63917088036F909CA361D7B1C891C68C

Uniqueness

Uniqueness Score: -1.00%

Function 00410344, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041036C

Part of subcall function 0040735C: sprintf.MSVCRT ref: 00407394
Part of subcall function 0040735C: memcpy.MSVCRT ref: 004073A7

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410390
memset.MSVCRT ref: 004103A7
GetPrivateProfileStringA.KERNEL32(?,?,0044551F,?,00002000,?), ref: 004103C5

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Writememcpysprintf
String ID:
API String ID: 3143880245-0
Opcode ID: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
Instruction ID: 9d0f41c8c3888dc292d70de46467aaf9ffb36b28435196f73ffda5293cd27e0f
Opcode Fuzzy Hash: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
Instruction Fuzzy Hash: B501847280431DBFEF116F60EC89EDB7B79EF04314F1000A6FA08A2052D6759D64DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408AA5, Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00408ACD
??2@YAPAXI@Z.MSVCRT ref: 00408AEB
??2@YAPAXI@Z.MSVCRT ref: 00408B09
??2@YAPAXI@Z.MSVCRT ref: 00408B19

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
Instruction ID: 91b6e48186620c166d1d4af44a265f78501a0d7a4e3c1a8b362a1fb29a74aa2a
Opcode Fuzzy Hash: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
Instruction Fuzzy Hash: 17F0F9B5901300AFE7549B3CED0672676E4E75C356F04983FA30A8A2F2EB79C8448B08

Uniqueness

Uniqueness Score: -1.00%

Function 00406CCE, Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00406CEA
memcpy.MSVCRT ref: 00406D02
??3@YAXPAX@Z.MSVCRT ref: 00406D0B

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??3@mallocmemcpy
String ID:
API String ID: 3831604043-0
Opcode ID: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
Instruction ID: 120c5a36fa875b11696935209168df4f9df621bec9a22d80de65970bbd8b26ad
Opcode Fuzzy Hash: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
Instruction Fuzzy Hash: 13F0E9727053225FD708EB75B94184B73DDAF84324712482FF505E7282D7389C60CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406E26, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF

CreateFontIndirectA.GDI32(?), ref: 00406E44

Strings

Arial, xrefs: 00406E30

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: CreateFontIndirect_mbscpymemset
String ID: Arial
API String ID: 3853255127-493054409
Opcode ID: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
Instruction ID: b68263c9f29210b4531b01fb65f498acbd183b68a5d206dac463ad1e531dcf8e
Opcode Fuzzy Hash: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
Instruction Fuzzy Hash: FFD0C974E4020C67DA10B7A0FC07F49776C5B01705F510421B901B10E2EAA4A15886D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB90, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00401E60: memset.MSVCRT ref: 00401E82
Part of subcall function 00401E60: strlen.MSVCRT ref: 00401E9B
Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EA9
Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EEF
Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EFD

_strcmpi.MSVCRT ref: 0040CBE4

Strings

/stext, xrefs: 0040CBDF

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: strlen$_strcmpimemset
String ID: /stext
API String ID: 520177685-3817206916
Opcode ID: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
Instruction ID: cdbc65eb55c3596dd52c6b91df7f07afa5e13005eab10b9a6f004d04cd94ae5a
Opcode Fuzzy Hash: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
Instruction Fuzzy Hash: CE216271618111DFD35CEB39D8C1A66B3A9FF04314B15427FF41AA7282C738EC118B89

Uniqueness

Uniqueness Score: -1.00%

Function 0040472F, Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795

LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID:
API String ID: 145871493-0
Opcode ID: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
Instruction ID: 2550b76864eeaa7c500838184e9c491a546ed4ce74a868b02878dd57666eb7ef
Opcode Fuzzy Hash: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
Instruction Fuzzy Hash: A5F01BF4600B029FD760AF35E848B9B77E5AF86710F00453EF665E3182D778A545CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004103E0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410407

Part of subcall function 004102F8: memset.MSVCRT ref: 00410316
Part of subcall function 004102F8: _itoa.MSVCRT ref: 0041032D
Part of subcall function 004102F8: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0041033C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itoamemset
String ID:
API String ID: 4165544737-0
Opcode ID: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
Instruction ID: a6fec7de448531cc7e5bdd8bb9ba05dfe42c6da5839e04c605b7484fd2ec2d67
Opcode Fuzzy Hash: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
Instruction Fuzzy Hash: 23E0BD3204060EBFCF125F80EC05AAA7BA6FF04354F24886AFD6804121D77299F0AB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404780, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
Instruction ID: 32a23a6afe1256adb8d295dcdce629e4b632fcbc5e0d618fa027d99050396328
Opcode Fuzzy Hash: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
Instruction Fuzzy Hash: D7D012714003118FDB609F14FD4CBA173E8AF41312F1504B8E994AB192C3749840CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00406AB8, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040ABFF,00000000), ref: 00406ACA

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
Instruction ID: 174152b0962da7481451d0c07619c80c3ba7c59bd8607505f6d9dddbb6799519
Opcode Fuzzy Hash: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
Instruction Fuzzy Hash: 08C012F06503007FFF204B10AC0AF37369DD780700F1044207E00E40E1C2A14C40C524

Uniqueness

Uniqueness Score: -1.00%

Function 00410166, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
Instruction ID: 507e23945262d0460dd2b0da46a8ed0ea94319227dbecdfb5597338915b85de2
Opcode Fuzzy Hash: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
Instruction Fuzzy Hash: 6EC04C35510B019BEB219B22D949753B7E4AB05316F40C81CA59695451D7BCE494CE18

Uniqueness

Uniqueness Score: -1.00%

Function 00410663, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesA.KERNEL32(?,?,Function_000105DD,00000000), ref: 00410672

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
Instruction ID: e40f58546d13f5b106010a29914381b046978f91ca1901c00a2019c551bf0e65
Opcode Fuzzy Hash: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
Instruction Fuzzy Hash: A0C09B31554341A7C701DF108C09F1A7695BB55705F504C297151940A4C7514054DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00407D1F, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,00407C39,?,?,00000000,.8D,0044373A,*.oeaccount,.8D,?,00000104), ref: 00407D29

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
Instruction ID: e21386352e8edd65572014a1fcaa83e24a75218a268847cd9e3b74dd15e40f0a
Opcode Fuzzy Hash: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
Instruction Fuzzy Hash: 50C092349109018FD62C9F38DC5A52A77A0BF5A3343B40F6CA0F3D20F0E778A842CA08

Uniqueness

Uniqueness Score: -1.00%

Function 00410411, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
Instruction ID: 9e85f5290c785a84adc9a585aa79e4266a03e2402c05001ad2ac5d5d83fda341
Opcode Fuzzy Hash: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
Instruction Fuzzy Hash: 40C09B39544301BFDE114F40FD05F09BB61BB84F05F504414B244240B182714414EB57

Uniqueness

Uniqueness Score: -1.00%

Function 00406D1F, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
Instruction ID: 1a596b20ff26773e60743876e99a20c5f0c5c53ebb8dbfb842e64d2fd6ed3a7e
Opcode Fuzzy Hash: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
Instruction Fuzzy Hash: 76B012792108005FCF1807349C4904D35506F45631760073CF033C00F0D720CC60BA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004047C6, Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00404A6B,?,00404981,?,?,00000000,?,00000000,?), ref: 004047D5
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047E9
GetProcAddress.KERNEL32(0045175C,CryptReleaseContext), ref: 004047F5
GetProcAddress.KERNEL32(0045175C,CryptCreateHash), ref: 00404801
GetProcAddress.KERNEL32(0045175C,CryptGetHashParam), ref: 0040480D
GetProcAddress.KERNEL32(0045175C,CryptHashData), ref: 00404819
GetProcAddress.KERNEL32(0045175C,CryptDestroyHash), ref: 00404825
GetProcAddress.KERNEL32(0045175C,CryptDecrypt), ref: 00404831
GetProcAddress.KERNEL32(0045175C,CryptDeriveKey), ref: 0040483D
GetProcAddress.KERNEL32(0045175C,CryptImportKey), ref: 00404849
GetProcAddress.KERNEL32(0045175C,CryptDestroyKey), ref: 00404855

Strings

CryptReleaseContext, xrefs: 004047EB
CryptDecrypt, xrefs: 00404827
CryptGetHashParam, xrefs: 00404803
CryptAcquireContextA, xrefs: 004047E1
CryptImportKey, xrefs: 0040483F
CryptHashData, xrefs: 0040480F
CryptDestroyKey, xrefs: 0040484B
CryptDeriveKey, xrefs: 00404833
CryptCreateHash, xrefs: 004047F7
CryptDestroyHash, xrefs: 0040481B
advapi32.dll, xrefs: 004047D0

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
API String ID: 2238633743-192783356
Opcode ID: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
Instruction ID: 96d911507a8a1b00aef88e3b883ab5eac538cf63a3166b36270edd586bbeed94
Opcode Fuzzy Hash: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
Instruction Fuzzy Hash: A501C974940744AFDB31AF769C09E06BEF1EFA97003224D2EE2C553650D77AA010DE49

Uniqueness

Uniqueness Score: -1.00%

Function 00402DA5, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424

Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D

Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A

Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B

_mbscpy.MSVCRT ref: 00402EBC
_mbscpy.MSVCRT ref: 00402ECF
_mbscpy.MSVCRT ref: 00402F5C
_mbscpy.MSVCRT ref: 00402F69
RegCloseKey.ADVAPI32(?), ref: 00402FC3

Strings

PopPassword, xrefs: 00402E96
PopLogSecure, xrefs: 00402E7B
SMTPPort, xrefs: 00402F07
PopServer, xrefs: 00402E57
SMTPPassword, xrefs: 00402F36
PopAccount, xrefs: 00402E41
SMTPLogSecure, xrefs: 00402F1B
SMTPAccount, xrefs: 00402EDB
SMTPServer, xrefs: 00402EF1
DisplayName, xrefs: 00402DFE
EmailAddress, xrefs: 00402E2B
PopPort, xrefs: 00402E6A

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscpy$QueryValue$CloseOpen
String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
API String ID: 52435246-1534328989
Opcode ID: 8606da5831358c67b4a99ee8b6ad117f72868ee6eb846870c269daa592ef00d8
Instruction ID: 400a04a5c8efacb9c4641a70875855bf6b7e4888715d32951425251a7c23a99d
Opcode Fuzzy Hash: 8606da5831358c67b4a99ee8b6ad117f72868ee6eb846870c269daa592ef00d8
Instruction Fuzzy Hash: 575130B1900118BBEF11EB51DD41FEE777CAF04754F5080A7BA0CA6192DBB89B858F98

Uniqueness

Uniqueness Score: -1.00%

Function 004033E2, Relevance: 7.6, Strings: 6, Instructions: 61COMMON

Download Yara Rule

Strings

POP3Username, xrefs: 00403470
ESMTPUsername, xrefs: 0040343A
SMTPServer, xrefs: 0040341E
ESMTPPassword, xrefs: 0040344C
POP3Server, xrefs: 0040345E
POP3Password, xrefs: 00403482

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: PrivateProfileString_mbscmpstrlen
String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
API String ID: 3963849919-1658304561
Opcode ID: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
Instruction ID: 1b90a5eb0bf433dfd26fdc49de6d86aad9c02d214cf5b02dd481862667588e5e
Opcode Fuzzy Hash: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
Instruction Fuzzy Hash: EF21F47180151C6EDB51EB11DD82FEE777C9B44705F4004ABBA09B1092DBBC6BC68E59

Uniqueness

Uniqueness Score: -1.00%

Function 004016FC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

Strings

E, xrefs: 0040171E
E, xrefs: 0040172B
E, xrefs: 0040178D

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID: E$ E$ E
API String ID: 1865533344-1090515111
Opcode ID: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
Instruction ID: 87a0be596659d04b7e64c8373dbe8b7d58709088cb568d7826d55e868489c559
Opcode Fuzzy Hash: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
Instruction Fuzzy Hash: 0E115A74900209EFCF119F90C905AAE3BB1AF08312F00806AFC156B2A2C7799911DFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C084, Relevance: 1.5, APIs: 1, Instructions: 22clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00409EE6: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00409EFC

OpenClipboard.USER32(?), ref: 0040C0A3

Part of subcall function 00406C3D: EmptyClipboard.USER32 ref: 00406C45
Part of subcall function 00406C3D: strlen.MSVCRT ref: 00406C52
Part of subcall function 00406C3D: GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C0BB,?), ref: 00406C61
Part of subcall function 00406C3D: GlobalFix.KERNEL32(00000000), ref: 00406C6E
Part of subcall function 00406C3D: memcpy.MSVCRT ref: 00406C77
Part of subcall function 00406C3D: GlobalUnWire.KERNEL32(00000000), ref: 00406C80
Part of subcall function 00406C3D: SetClipboardData.USER32(00000001,00000000), ref: 00406C89
Part of subcall function 00406C3D: CloseClipboard.USER32 ref: 00406C99

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyMessageOpenSendWirememcpystrlen
String ID:
API String ID: 1720093512-0
Opcode ID: d73fd5444aac2666192e8592cc429c06ee92b9a079e5d162064339f146911550
Instruction ID: a897b5ee525c71a1d49f68bee22fe3fd46fa08075f7fd3a8f51c145daf979587
Opcode Fuzzy Hash: d73fd5444aac2666192e8592cc429c06ee92b9a079e5d162064339f146911550
Instruction Fuzzy Hash: 6FE08631104204E7EB10EBA6CD05A4BB3ACDF00704F10003AB451E3181DA78ED018658

Uniqueness

Uniqueness Score: -1.00%

Function 0044227B, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0044269A
_strncoll.MSVCRT ref: 004426AA
memcpy.MSVCRT ref: 00442726
atoi.MSVCRT ref: 00442737
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00442763

Strings

times;, xrefs: 004424E4
Aring;, xrefs: 00442430
Ccedil;, xrefs: 00442444
pound;, xrefs: 004422DC
Eacute;, xrefs: 00442458
sup1;, xrefs: 004423B8
deg;, xrefs: 0044235E
Oacute;, xrefs: 004424BC
divide;, xrefs: 0044262B
ocirc;, xrefs: 00442613
sup2;, xrefs: 00442372
Ograve;, xrefs: 004424B2
brvbar;, xrefs: 004422FA
ordf;, xrefs: 00442322
uml;, xrefs: 0044230E
atilde;, xrefs: 0044255C
uuml;, xrefs: 0044264E
macr;, xrefs: 00442354
ouml;, xrefs: 00442624
ecirc;, xrefs: 004425AF
Igrave;, xrefs: 00442476
Ouml;, xrefs: 004424DA
ordm;, xrefs: 004423C2
Ugrave;, xrefs: 004424F8
iexcl;, xrefs: 004422C8
euml;, xrefs: 004425B9
Egrave;, xrefs: 0044244E
agrave;, xrefs: 0044253E
reg;, xrefs: 0044234A
copy;, xrefs: 00442318
ugrave;, xrefs: 00442639
ETH;, xrefs: 0044249E
Atilde;, xrefs: 0044241C
THORN;, xrefs: 0044252A
laquo;, xrefs: 0044232C
middot;, xrefs: 004423A4
iquest;, xrefs: 004423F4
micro;, xrefs: 00442390
iuml;, xrefs: 004425E1
nbsp;, xrefs: 004422A2
egrave;, xrefs: 0044259B
Oslash;, xrefs: 004424EE
yen;, xrefs: 004422F0
gt;, xrefs: 00442294
Icirc;, xrefs: 0044248A
Ocirc;, xrefs: 004424C6
acute;, xrefs: 00442386
para;, xrefs: 0044239A
quot;, xrefs: 0044229B
apos;, xrefs: 004422A9
Acirc;, xrefs: 00442412
ccedil;, xrefs: 00442591
icirc;, xrefs: 004425D7
aring;, xrefs: 0044257D
thorn;, xrefs: 0044265C
shy;, xrefs: 00442340
Uuml;, xrefs: 00442516
ucirc;, xrefs: 00442647
acirc;, xrefs: 00442552
plusmn;, xrefs: 00442368
curren;, xrefs: 004422E6
ograve;, xrefs: 004425FF
uacute;, xrefs: 00442640
oacute;, xrefs: 00442609
yuml;, xrefs: 00442663
Yacute;, xrefs: 00442520
sup3;, xrefs: 0044237C
AElig;, xrefs: 0044243A
igrave;, xrefs: 004425C3
not;, xrefs: 00442336
oslash;, xrefs: 00442632
Euml;, xrefs: 0044246C
eacute;, xrefs: 004425A5
ntilde;, xrefs: 004425F5
iacute;, xrefs: 004425CD
frac12;, xrefs: 004423E0
eth;, xrefs: 004425EB
Iacute;, xrefs: 00442480
Agrave;, xrefs: 004423FE
cent;, xrefs: 004422D2
Ucirc;, xrefs: 0044250C
frac34;, xrefs: 004423EA
aacute;, xrefs: 00442548
auml;, xrefs: 00442573
cedil;, xrefs: 004423AE
aelig;, xrefs: 00442587
amp;, xrefs: 00442286
Ntilde;, xrefs: 004424A8
szlig;, xrefs: 00442534
otilde;, xrefs: 0044261D
raquo;, xrefs: 004423CC
Auml;, xrefs: 00442426
frac14;, xrefs: 004423D6
Ecirc;, xrefs: 00442462
sect;, xrefs: 00442304
lt;, xrefs: 0044228D
Uacute;, xrefs: 00442502
Otilde;, xrefs: 004424D0
yacute;, xrefs: 00442655
Aacute;, xrefs: 00442408
Iuml;, xrefs: 00442494

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_strncollatoimemcpystrlen
String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
API String ID: 1864335961-3210201812
Opcode ID: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
Instruction ID: 53082eb74af2b51306e1b07bdc149dea26fd0daa9c3b29582cc647e8b6ddbc01
Opcode Fuzzy Hash: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
Instruction Fuzzy Hash: 90F112B080625CDBFB61CF54D9897DEBBB0EB01308F5881CAD4597B251C7B81A89CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0044315E, Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00443170
strcmp.MSVCRT ref: 004431BC
strcmp.MSVCRT ref: 004431E5
strcmp.MSVCRT ref: 0044320E
strcmp.MSVCRT ref: 00443237
strcmp.MSVCRT ref: 00443260
strcmp.MSVCRT ref: 00443293
strcmp.MSVCRT ref: 004432C6
strcmp.MSVCRT ref: 00443332
strcmp.MSVCRT ref: 00443362
strcmp.MSVCRT ref: 00443392
strcmp.MSVCRT ref: 004433C2
strcmp.MSVCRT ref: 004433EC
strcmp.MSVCRT ref: 00443415
strcmp.MSVCRT ref: 004432F9

Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE

_strcmpi.MSVCRT ref: 00443485
_strcmpi.MSVCRT ref: 00443496
_strcmpi.MSVCRT ref: 004434A7
_strcmpi.MSVCRT ref: 0044345C

Part of subcall function 0040710B: strtoul.MSVCRT ref: 00407113

_strcmpi.MSVCRT ref: 004434D0
_strcmpi.MSVCRT ref: 004434F9
_strcmpi.MSVCRT ref: 0044350A
_strcmpi.MSVCRT ref: 0044351B

Strings

IMAP_Port, xrefs: 00443490
IMAP, xrefs: 00443356
SMTP_Email_Address, xrefs: 0044340F
SMTP_Server, xrefs: 00443231
NNTP, xrefs: 00443386
POP3_Port, xrefs: 004434A1
POP3_Secure_Connection, xrefs: 00443515
IMAP_Server, xrefs: 004431DF
IMAP_User_Name, xrefs: 0044328D
NNTP_Email_Address, xrefs: 004433E6
IMAP_Secure_Connection, xrefs: 00443504
NNTP_Secure_Connection, xrefs: 004434F3
SMTP_User_Name, xrefs: 004432F3
SMTP_Secure_Connection, xrefs: 004434CA
SMTP_Port, xrefs: 00443450
NNTP_Port, xrefs: 0044347F
POP3, xrefs: 00443326
SMTP, xrefs: 004433B6
Account_Name, xrefs: 0044316A
NNTP_Server, xrefs: 00443208
NNTP_User_Name, xrefs: 004432C0
POP3_User_Name, xrefs: 0044325A
POP3_Server, xrefs: 004431B0

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: strcmp$_strcmpi$memcpystrlenstrtoul
String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
API String ID: 1714764973-479759155
Opcode ID: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
Instruction ID: 5e0940cb4a553810ccd5eed58eee7b2aa7af7a3cc246567a3fd24b3687d2e464
Opcode Fuzzy Hash: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
Instruction Fuzzy Hash: AD9191B260C7049AF628BB329D43B9B33D8AF50719F10043FF95AB61C2EE6DB905465D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E417, Relevance: 68.7, APIs: 25, Strings: 14, Instructions: 449COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E6BB

Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949

memset.MSVCRT ref: 0040E70C
memset.MSVCRT ref: 0040E728
MultiByteToWideChar.KERNEL32(00000000,00000000,%@,000000FF,?,00000104,?,?,?,?,?,?,0040EC25,?,00000000), ref: 0040E73F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040EC25,?), ref: 0040E75E
memset.MSVCRT ref: 0040E7C0
memset.MSVCRT ref: 0040E7D5
_mbscpy.MSVCRT ref: 0040E83A
_mbscpy.MSVCRT ref: 0040E850
_mbscpy.MSVCRT ref: 0040E866
_mbscpy.MSVCRT ref: 0040E87C
_mbscpy.MSVCRT ref: 0040E892
_mbscpy.MSVCRT ref: 0040E8A8
memset.MSVCRT ref: 0040E8C2

Strings

/, xrefs: 0040E68A
imap://%s, xrefs: 0040E9A0
mailbox://%s, xrefs: 0040E98B
$, xrefs: 0040E6A6
,, xrefs: 0040E68E
+, xrefs: 0040E6A2
8, xrefs: 0040E6AE
", xrefs: 0040E69A
:, xrefs: 0040E692
smtp://%s, xrefs: 0040E9B5
, xrefs: 0040E69E
%@, xrefs: 0040E73A
$, xrefs: 0040E6AA
e, xrefs: 0040E686

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$_mbscpy$ByteCharMultiWidestrlen
String ID: $"$$$$$%@$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
API String ID: 3137614212-1813914204
Opcode ID: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
Instruction ID: 60cbd65c12865ccb94f157c96bc1922d811664869268201cbad442dfa9876f55
Opcode Fuzzy Hash: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
Instruction Fuzzy Hash: A9228E218087DA9DDB31D6BC9C456CDBF646B16234F0803DAF1E8BB2D2D7344A46CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA89, Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DAAE
strlen.MSVCRT ref: 0040DAB9
_strncoll.MSVCRT ref: 0040DAC6
_strcmpi.MSVCRT ref: 0040DB03
_strcmpi.MSVCRT ref: 0040DB25
strlen.MSVCRT ref: 0040DB45
_strncoll.MSVCRT ref: 0040DB52
_strcmpi.MSVCRT ref: 0040DB9B
_strcmpi.MSVCRT ref: 0040DBBD
_strcmpi.MSVCRT ref: 0040DBDF
_strcmpi.MSVCRT ref: 0040DC01
atoi.MSVCRT ref: 0040DC0F

Part of subcall function 0040DA02: memset.MSVCRT ref: 0040DA38
Part of subcall function 0040DA02: memcpy.MSVCRT ref: 0040DA5A
Part of subcall function 0040DA02: atoi.MSVCRT ref: 0040DA6E

_strcmpi.MSVCRT ref: 0040DC23
_strcmpi.MSVCRT ref: 0040DC36
strlen.MSVCRT ref: 0040DC51
_strncoll.MSVCRT ref: 0040DC5E
_strcmpi.MSVCRT ref: 0040DCA3
_strcmpi.MSVCRT ref: 0040DCC5
_strcmpi.MSVCRT ref: 0040DCE4
strlen.MSVCRT ref: 0040DCFF
strlen.MSVCRT ref: 0040DD09

Strings

signon.signonfilename, xrefs: 0040DCDC
true, xrefs: 0040DC2E
mail.account.account, xrefs: 0040DAB3, 0040DAB8, 0040DAC1
port, xrefs: 0040DBF9
username, xrefs: 0040DB91
fullname, xrefs: 0040DCBD
type, xrefs: 0040DBB5
mail.server, xrefs: 0040DB3F, 0040DB44, 0040DB4D
identities, xrefs: 0040DB1D
hostname, xrefs: 0040DBD7
mail.identity, xrefs: 0040DC4B, 0040DC50, 0040DC59
useremail, xrefs: 0040DC99
useSecAuth, xrefs: 0040DC1B
server, xrefs: 0040DAF9

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _strcmpi$strlen$_strncoll$atoimemset$memcpy
String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
API String ID: 594115653-593045482
Opcode ID: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
Instruction ID: 1e907043fac54bf2e371806c1eb24ba38ca233ac5dd260cadef0f6990961d541
Opcode Fuzzy Hash: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
Instruction Fuzzy Hash: 3C71D832804204AEFF14ABA1DD02B9E77B5DF91329F21406FF545B21C1EB7D9A18D64C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E070, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 279COMMON

Download Yara Rule

APIs

Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949

Part of subcall function 004086A5: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
Part of subcall function 004086A5: CloseHandle.KERNEL32(?,?), ref: 0040870D

Part of subcall function 00408763: _mbsicmp.MSVCRT ref: 0040879D

memset.MSVCRT ref: 0040E123
memset.MSVCRT ref: 0040E138
_mbscpy.MSVCRT ref: 0040E19F
_mbscpy.MSVCRT ref: 0040E1B5
_mbscpy.MSVCRT ref: 0040E1CB
_mbscpy.MSVCRT ref: 0040E1E1
_mbscpy.MSVCRT ref: 0040E1F7
_mbscpy.MSVCRT ref: 0040E20A
memset.MSVCRT ref: 0040E225
memset.MSVCRT ref: 0040E23C

Part of subcall function 00406582: memset.MSVCRT ref: 004065A3
Part of subcall function 00406582: memcmp.MSVCRT ref: 004065CD

memset.MSVCRT ref: 0040E29D
memset.MSVCRT ref: 0040E2B4
memset.MSVCRT ref: 0040E2CB
sprintf.MSVCRT ref: 0040E2E6
sprintf.MSVCRT ref: 0040E2FB
sprintf.MSVCRT ref: 0040E310
_strcmpi.MSVCRT ref: 0040E326
_strcmpi.MSVCRT ref: 0040E33F
_strcmpi.MSVCRT ref: 0040E358
_strcmpi.MSVCRT ref: 0040E374

Strings

C@, xrefs: 0040E0A9
httpRealm, xrefs: 0040E181
passwordField, xrefs: 0040E174
smtp://%s, xrefs: 0040E30A
hostname, xrefs: 0040E140
usernameField, xrefs: 0040E167
encryptedUsername, xrefs: 0040E14D
imap://%s, xrefs: 0040E2F5
mailbox://%s, xrefs: 0040E2E0
logins, xrefs: 0040E0BD
encryptedPassword, xrefs: 0040E15A

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
String ID: C@$encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
API String ID: 4171719235-3249434271
Opcode ID: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
Instruction ID: 4eb083177fa9c3dcba641838e0e399a852ec85db15ddf69852980c8670b79128
Opcode Fuzzy Hash: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
Instruction Fuzzy Hash: EFA16672D04219AEDF10EBA1DC41ADE77BCAF44304F1044BFF645B7181DA38AA988F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD76, Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 264stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0040FDA3
GetDlgItem.USER32(?,000003E8), ref: 0040FDAF
GetWindowLongA.USER32(00000000,000000F0), ref: 0040FDBE
GetWindowLongA.USER32(?,000000F0), ref: 0040FDCA
GetWindowLongA.USER32(00000000,000000EC), ref: 0040FDD3
GetWindowLongA.USER32(?,000000EC), ref: 0040FDDF
GetWindowRect.USER32(00000000,?), ref: 0040FDF1
GetWindowRect.USER32(?,?), ref: 0040FDFC
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE10
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE1E
73BBAC50.USER32(?,?,?), ref: 0040FE57
strlen.MSVCRT ref: 0040FE97
GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040FEA8
sprintf.MSVCRT ref: 0040FFB5
SetWindowTextA.USER32(?,?), ref: 0040FFC9
SetWindowTextA.USER32(?,00000000), ref: 0040FFE7
GetDlgItem.USER32(?,00000001), ref: 0041001D
GetWindowRect.USER32(00000000,?), ref: 0041002D
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041003B
GetClientRect.USER32(?,?), ref: 00410052
GetWindowRect.USER32(?,?), ref: 0041005C
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 004100A2
GetClientRect.USER32(?,?), ref: 004100AC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 004100E4

Strings

EDIT, xrefs: 0040FF90
%s:, xrefs: 0040FFAF
STATIC, xrefs: 0040FF59

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32sprintfstrlen
String ID: %s:$EDIT$STATIC
API String ID: 2594924168-3046471546
Opcode ID: 8a60e0ba97f171743a829e93ce0ff1a0e7cc565a63bc43af7584db32dade8b22
Instruction ID: 60093129ffb9b10d71bc98ba01756b195f92c815bd96d79b3314cc8c80e42073
Opcode Fuzzy Hash: 8a60e0ba97f171743a829e93ce0ff1a0e7cc565a63bc43af7584db32dade8b22
Instruction Fuzzy Hash: 62B1DE71108741AFDB20DF68C985E6BBBE9FF88704F00492EF69992261DB75E804CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0040243C, Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004024E7

Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D

_mbscpy.MSVCRT ref: 00402525
_mbscpy.MSVCRT ref: 004025EF

Strings

SMTP USer Name, xrefs: 0040245F
SMTP Email Address, xrefs: 0040256F
SMTP Port, xrefs: 004024B3
IMAP, xrefs: 00402489
IMAP Server, xrefs: 0040246D
IMAP Port, xrefs: 004024A5
HTTPMail Secure Connection, xrefs: 004024C8
HTTPMail Server, xrefs: 00402474
IMAP Secure Connection, xrefs: 004024C1
SMTP Display Name, xrefs: 0040255A
POP3 Secure Connection, xrefs: 004024BA
POP3 Server, xrefs: 00402466
HTTPMail, xrefs: 00402490
SMTP Server, xrefs: 0040247B, 0040258C
IMAP User Name, xrefs: 00402451
POP3 Port, xrefs: 0040249E
SMTP Secure Connection, xrefs: 004024CF
HTTPMail User Name, xrefs: 00402458
POP3, xrefs: 00402482
Password2, xrefs: 004025C5
POP3 User Name, xrefs: 0040244A
SMTP, xrefs: 00402497
HTTPMail Port, xrefs: 004024AC

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscpy$QueryValuememset
String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
API String ID: 168965057-606283353
Opcode ID: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
Instruction ID: 01ace8319ffdb9fe87aab8cc910760b0be55d28e69d7af66dfccc1b3ad16f9ad
Opcode Fuzzy Hash: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
Instruction Fuzzy Hash: 815163B540161CEBEF20DF91DC85ADD7BACAF04318F50846BFA08A6142D7BD9584CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004027B0, Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040285B

Part of subcall function 00402994: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029C5

_mbscpy.MSVCRT ref: 00402895

Part of subcall function 00402994: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029F3

_mbscpy.MSVCRT ref: 0040296D

Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A

Strings

Display Name, xrefs: 004028C6
Password, xrefs: 00402944
SMTP Port, xrefs: 00402827, 00402908
HTTP Port, xrefs: 00402820
IMAP, xrefs: 004027C5
IMAP Server, xrefs: 004027E1
POP3 User, xrefs: 004027F6
IMAP Port, xrefs: 00402819
HTTPMail Use SSL, xrefs: 0040283C
SMTP Use SSL, xrefs: 00402843
Email, xrefs: 004028D9
POP3 Server, xrefs: 004027DA
IMAP User, xrefs: 004027FD
SMTP Server, xrefs: 004027EF, 004028F1
SMTP User, xrefs: 0040280B
POP3 Port, xrefs: 00402812
HTTP User, xrefs: 00402804
POP3, xrefs: 004027BE
HTTP, xrefs: 004027CC
HTTP Server URL, xrefs: 004027E8
POP3 Use SPA, xrefs: 0040282E
SMTP, xrefs: 004027D3
IMAP Use SPA, xrefs: 00402835

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: QueryValue_mbscpy$ByteCharMultiWidememset
String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
API String ID: 1497257669-167382505
Opcode ID: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
Instruction ID: 24fe9e335227be75b4da69fc4be99485a809f42695e36ab36f90f83f1315ab2f
Opcode Fuzzy Hash: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
Instruction Fuzzy Hash: 22514DB150060C9BEF25EF61DC85ADD7BA8FF04308F50802BF924661A2DBB99958CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5B8, Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 220windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0040F600
GetDlgItem.USER32(?,000003EA), ref: 0040F618
SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F637
SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040F644
SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040F64D
memset.MSVCRT ref: 0040F675
memset.MSVCRT ref: 0040F695
memset.MSVCRT ref: 0040F6B3
memset.MSVCRT ref: 0040F6CC
memset.MSVCRT ref: 0040F6EA
memset.MSVCRT ref: 0040F703
GetCurrentProcess.KERNEL32 ref: 0040F70B
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F730
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F766
memset.MSVCRT ref: 0040F7BD
GetCurrentProcessId.KERNEL32 ref: 0040F7CB
memcpy.MSVCRT ref: 0040F7FA
_mbscpy.MSVCRT ref: 0040F81C
sprintf.MSVCRT ref: 0040F887
SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040F8A0
GetDlgItem.USER32(?,000003EA), ref: 0040F8AA
SetFocus.USER32(00000000), ref: 0040F8B1

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040F881
{Unknown}, xrefs: 0040F67A
u, xrefs: 0040F8B1

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s$u${Unknown}
API String ID: 1428123949-2294669797
Opcode ID: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
Instruction ID: eaf6f4841f79e9ca67ab0c8a61f7093b44a411cbafad24e33deb6097971d8b5c
Opcode Fuzzy Hash: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
Instruction Fuzzy Hash: 4271B576404344BFEB31ABA0DC41EDB7B9CFB94345F00443AF644A25A1DB399D18CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401060, Relevance: 39.2, APIs: 26, Instructions: 186COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 004010BC
ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
GetDlgItem.USER32(?,000003EE), ref: 00401103
ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
GetDlgItem.USER32(?,000003EC), ref: 0040113E
ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
LoadCursorA.USER32(00000067), ref: 0040115F
SetCursor.USER32(00000000,?,?), ref: 00401166
GetDlgItem.USER32(?,000003EE), ref: 00401186
ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
GetDlgItem.USER32(?,000003EC), ref: 004011AD
SetBkMode.GDI32(?,00000001), ref: 004011B9
SetTextColor.GDI32(?,00C00000), ref: 004011C7
GetSysColorBrush.USER32(0000000F), ref: 004011CF
GetDlgItem.USER32(?,000003EE), ref: 004011EF
EndDialog.USER32(?,00000001), ref: 0040121A
DeleteObject.GDI32(?), ref: 00401226
GetDlgItem.USER32(?,000003ED), ref: 0040124A
ShowWindow.USER32(00000000), ref: 00401253
GetDlgItem.USER32(?,000003EE), ref: 0040125F
ShowWindow.USER32(00000000), ref: 00401262
SetDlgItemTextA.USER32(?,000003EE,00451398), ref: 00401273
memset.MSVCRT ref: 0040128E
SetWindowTextA.USER32(?,00000000), ref: 004012AA
SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
String ID:
API String ID: 2998058495-0
Opcode ID: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
Instruction ID: cf74e5707885198988a29297af0a26d915b41f86d4ff93bb74c60bb1bb3fb963
Opcode Fuzzy Hash: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
Instruction Fuzzy Hash: 04618B35800208EBDF12AFA0DD85BAE7FA5BB04305F1481B6F904BA2F2C7B59950DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B94B, Relevance: 38.8, APIs: 17, Strings: 5, Instructions: 300windowregistrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00408DE1: LoadMenuA.USER32(00000000), ref: 00408DE9
Part of subcall function 00408DE1: sprintf.MSVCRT ref: 00408E0C

SetMenu.USER32(?,00000000), ref: 0040BA7E
SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BAB1
LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BAC7
CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BB27
LoadIconA.USER32(00000066,00000000), ref: 0040BB96
_strcmpi.MSVCRT ref: 0040BBEE
RegDeleteKeyA.ADVAPI32(80000001,0044551F), ref: 0040BC03
SetFocus.USER32(?), ref: 0040BC29
GetFileAttributesA.KERNEL32(004518C0), ref: 0040BC42
GetTempPathA.KERNEL32(00000104,004518C0), ref: 0040BC52
strlen.MSVCRT ref: 0040BC59
strlen.MSVCRT ref: 0040BC67
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BCC3

Part of subcall function 00404B82: strlen.MSVCRT ref: 00404B9F
Part of subcall function 00404B82: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404BC3

SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BD0E
SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BD21
memset.MSVCRT ref: 0040BD36
SetWindowTextA.USER32(?,?), ref: 0040BD5A

Strings

SysListView32, xrefs: 0040BB21
report.html, xrefs: 0040BC60, 0040BC78
commdlg_FindReplace, xrefs: 0040BCBE
/noloadsettings, xrefs: 0040BBE8
u, xrefs: 0040BC29

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html$u
API String ID: 2303586283-3958168634
Opcode ID: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
Instruction ID: a3034197930a53117d85b49231bdaaa03d04473d70278c5121b5a691f959c143
Opcode Fuzzy Hash: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
Instruction Fuzzy Hash: 13C1E0B1644788FFEB16DF64CC45BDABBA5FF14304F00016AFA44AB292C7B59904CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004109F8, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410A19
memset.MSVCRT ref: 00410A2D
_mbscpy.MSVCRT ref: 00410A5A
sprintf.MSVCRT ref: 00410A75
_mbscat.MSVCRT ref: 00410A82
sprintf.MSVCRT ref: 00410AAC
_mbscat.MSVCRT ref: 00410AB9
_mbscat.MSVCRT ref: 00410AC7
_mbscat.MSVCRT ref: 00410AD9
_mbscat.MSVCRT ref: 00410AE4
_mbscat.MSVCRT ref: 00410AF6
_mbscat.MSVCRT ref: 00410B08

Strings

<b>, xrefs: 00410AD3
<font, xrefs: 00410A54
color="#%s", xrefs: 00410AA6
size="%d", xrefs: 00410A6F
</b>, xrefs: 00410AF0
</font>, xrefs: 00410B02

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscat$memsetsprintf$_mbscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 633282248-1996832678
Opcode ID: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
Instruction ID: 7c6bf41bc1280a1bc88d4c6d4cc59bc6a86d5934fc3475aca932ea250c86fdc0
Opcode Fuzzy Hash: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
Instruction Fuzzy Hash: 5E31E7B2805324BEFB14EA54DD42EDEB76CAF11354F20415FF214A2182DBBC9ED48A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6AF, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A6CF
memset.MSVCRT ref: 0040A6F2
memset.MSVCRT ref: 0040A708
memset.MSVCRT ref: 0040A718
sprintf.MSVCRT ref: 0040A74C
_mbscpy.MSVCRT ref: 0040A793
sprintf.MSVCRT ref: 0040A81A
_mbscat.MSVCRT ref: 0040A849

Part of subcall function 00410943: sprintf.MSVCRT ref: 00410962

_mbscpy.MSVCRT ref: 0040A82E
sprintf.MSVCRT ref: 0040A87D

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB

Strings

</table><p>, xrefs: 0040A89F
nowrap, xrefs: 0040A78D
<table border="1" cellpadding="5">, xrefs: 0040A754
bgcolor="%s", xrefs: 0040A746
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040A6D7
 , xrefs: 0040A843
<font color="%s">%s</font>, xrefs: 0040A812

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 710961058-601624466
Opcode ID: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
Instruction ID: 74eb9a4e80b6148bc8e6745fd37c56fddd23ac0c0a2d0b32ddfd32f18a43723b
Opcode Fuzzy Hash: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
Instruction Fuzzy Hash: BC61B232900214AFEF14EF64CC81EDE7B79EF05314F10419AF905AB1D2DB749A55CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00410B15, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410B36
memset.MSVCRT ref: 00410B4A
memset.MSVCRT ref: 00410B5E
sprintf.MSVCRT ref: 00410B88
sprintf.MSVCRT ref: 00410BB2
_mbscpy.MSVCRT ref: 00410BC3
sprintf.MSVCRT ref: 00410BDE
memset.MSVCRT ref: 00410C19
sprintf.MSVCRT ref: 00410C34
sprintf.MSVCRT ref: 00410C68

Part of subcall function 00410943: sprintf.MSVCRT ref: 00410962

Strings

<font color="%s">, xrefs: 00410BAC
bgcolor="%s", xrefs: 00410B82
<table border="1" cellpadding="5"><tr%s>, xrefs: 00410BD8
width="%s", xrefs: 00410C2E
<th%s>%s%s%s, xrefs: 00410C62
</font>, xrefs: 00410BBD

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: sprintf$memset$_mbscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 3402215030-3842416460
Opcode ID: 17ed6d14846e4c5c10a4de3d65ab3a3dc687bb0adce687871bc2f7fa502a4f2e
Instruction ID: 369df5ceca9bdb9f61db2c44a96b4e719fee50907ea6fa1c749cf0cc9e3d70a7
Opcode Fuzzy Hash: 17ed6d14846e4c5c10a4de3d65ab3a3dc687bb0adce687871bc2f7fa502a4f2e
Instruction Fuzzy Hash: CC4176B684011DAEEB11EE54DC41FEB776CAF55305F0401EBB608E2142E7789F988FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00441A6C, Relevance: 27.4, APIs: 7, Strings: 11, Instructions: 375COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00441AB5
memcmp.MSVCRT ref: 00441B43
memcmp.MSVCRT ref: 00441CED
memcmp.MSVCRT ref: 00441D19
memcmp.MSVCRT ref: 00441D4B
memcmp.MSVCRT ref: 00441D96
memcpy.MSVCRT ref: 00441E29

Strings

%s mode not allowed: %s, xrefs: 00441DF6
mode, xrefs: 00441D46
vfs, xrefs: 00441CE8
access, xrefs: 00441D69
cache, xrefs: 00441D14, 00441D36
file:, xrefs: 00441AAF
localhost, xrefs: 00441B3E
invalid uri authority: %.*s, xrefs: 00441B54
no such vfs: %s, xrefs: 00441E54
BINARY, xrefs: 00441A76
no such %s mode: %s, xrefs: 00441DB1

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$BINARY$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
API String ID: 231171946-1411472696
Opcode ID: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
Instruction ID: 52e3131474fa5b42b7a716d11f9a5693575ad96a685679239bae0d8a086cc604
Opcode Fuzzy Hash: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
Instruction Fuzzy Hash: 6ED13571D40209AAFF24CF99C8807EFBBB1AF15349F24405FE84197361E3789AC68B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C12B, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C150
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0040C161
strrchr.MSVCRT ref: 0040C170
_mbscat.MSVCRT ref: 0040C18A
_mbscpy.MSVCRT ref: 0040C1BE
_mbscpy.MSVCRT ref: 0040C1CF
GetWindowPlacement.USER32(?,?), ref: 0040C265

Strings

.cfg, xrefs: 0040C184
General, xrefs: 0040C1C9
AddExportHeaderLine, xrefs: 0040C21A
ShowGridLines, xrefs: 0040C1E8
MarkOddEvenRows, xrefs: 0040C233
lD, xrefs: 0040C1E2, 0040C1ED, 0040C1FB, 0040C206, 0040C214, 0040C21F, 0040C228, 0040C238, 0040C273, 0040C27E, 0040C297
WinPos, xrefs: 0040C279
SaveFilterIndex, xrefs: 0040C201

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$lD
API String ID: 1012775001-1916105108
Opcode ID: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
Instruction ID: 0f0ca2c9629047d536013ad0a00a476c63862c7e4230734d296e8a5f64e20069
Opcode Fuzzy Hash: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
Instruction Fuzzy Hash: 41415A72940118ABDB20DB54CC88FDAB7BCAB59300F4541EAF50DE7192DA74AA858FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA92, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004078B8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040EAAB,?,?,?,?), ref: 004078D1
Part of subcall function 004078B8: CloseHandle.KERNEL32(00000000,?,?,?), ref: 004078FD

Part of subcall function 004045BD: ??3@YAXPAX@Z.MSVCRT ref: 004045C4

Part of subcall function 00406DD3: _mbscpy.MSVCRT ref: 00406DD8
Part of subcall function 00406DD3: strrchr.MSVCRT ref: 00406DE0

Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D80B
Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D81F
Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D833
Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D900
Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D960

strlen.MSVCRT ref: 0040EAF0
strlen.MSVCRT ref: 0040EAFE
memset.MSVCRT ref: 0040EB3F
strlen.MSVCRT ref: 0040EB4E
strlen.MSVCRT ref: 0040EB5C
memset.MSVCRT ref: 0040EB9D
strlen.MSVCRT ref: 0040EBAC
strlen.MSVCRT ref: 0040EBBA
_strcmpi.MSVCRT ref: 0040EC68
_mbscpy.MSVCRT ref: 0040EC83

Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98

Strings

none, xrefs: 0040EC62
logins.json, xrefs: 0040EBB3, 0040EBCE
signons.txt, xrefs: 0040EAF7, 0040EB12
signons.sqlite, xrefs: 0040EB55, 0040EB70

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_strcmpistrrchr
String ID: logins.json$none$signons.sqlite$signons.txt
API String ID: 3884059725-3138536805
Opcode ID: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
Instruction ID: df88ffc6541641ac30fc10f5b0fca58fec5c07c4b1c9a15943a758993f488c50
Opcode Fuzzy Hash: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
Instruction Fuzzy Hash: 2D512971508209AEE714EB62DC85BDAB7ECAF11305F10057BE145E20C2EF79B6648B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAFA, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040CB00
_strcmpi.MSVCRT ref: 0040CB15

Strings

/scomma, xrefs: 0040CB4F
/stab, xrefs: 0040CB3A
/skeepass, xrefs: 0040CB79
/sverhtml, xrefs: 0040CB10
/stabular, xrefs: 0040CB64
/shtml, xrefs: 0040CAFB
/sxml, xrefs: 0040CB25

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _strcmpi
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 1439213657-1959339147
Opcode ID: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
Instruction ID: 4795e8c1a20e30d0c9bbc9b6431cc8fe1bf434ed6b151c21ba544f3180274443
Opcode Fuzzy Hash: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
Instruction Fuzzy Hash: 89012C6328A71168F93822A63C07F931A88CBD2B3BF32021FFA04E40C4EE5D9014946E

Uniqueness

Uniqueness Score: -1.00%

Function 00443AD1, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00443AF6

Part of subcall function 00443946: strlen.MSVCRT ref: 00443953

strlen.MSVCRT ref: 00443B12
memset.MSVCRT ref: 00443B4C
memset.MSVCRT ref: 00443B60
memset.MSVCRT ref: 00443B74
memset.MSVCRT ref: 00443B9A

Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8

Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B

memcpy.MSVCRT ref: 00443BD1

Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94

Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C

memcpy.MSVCRT ref: 00443C0D
memcpy.MSVCRT ref: 00443C1F
_mbscpy.MSVCRT ref: 00443CF6
memcpy.MSVCRT ref: 00443D27
memcpy.MSVCRT ref: 00443D39

Strings

salu, xrefs: 00443B2D

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpymemset$strlen$_mbscpy
String ID: salu
API String ID: 3691931180-4177317985
Opcode ID: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
Instruction ID: ac1bd25895dca9443f5d295c1451dfd6054ecd25aeec11951aea85171a240119
Opcode Fuzzy Hash: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
Instruction Fuzzy Hash: E1715F7290011DAADB10EFA5CC81ADEB7BDBF08348F1405BAF648E7191DB749B488F95

Uniqueness

Uniqueness Score: -1.00%

Function 0040C750, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0040C7C9
SetTextColor.GDI32(?,00FF0000), ref: 0040C7D7
SelectObject.GDI32(?,?), ref: 0040C7EC
DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C821
SelectObject.GDI32(00000014,?), ref: 0040C82D

Part of subcall function 0040C586: GetCursorPos.USER32(?), ref: 0040C593
Part of subcall function 0040C586: GetSubMenu.USER32(?,00000000), ref: 0040C5A1
Part of subcall function 0040C586: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C5CE

LoadCursorA.USER32(00000067), ref: 0040C84E
SetCursor.USER32(00000000), ref: 0040C855
PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040C877
SetFocus.USER32(?), ref: 0040C8B2
SetFocus.USER32(?), ref: 0040C92B

Strings

u, xrefs: 0040C8B2, 0040C8E3, 0040C92B

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
String ID: u
API String ID: 1416211542-4067256894
Opcode ID: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
Instruction ID: 09ccc7060a79f4adaf8e2edad657e89b5ff3622033c15eab8e38028839dfd0e9
Opcode Fuzzy Hash: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
Instruction Fuzzy Hash: 4E518276200605EFCB15AF64CCC5AAA77A5FB08302F004636F616B72A1CB39A951DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F9AC, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,0040F791), ref: 0040F9BF
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040F9D8
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040F9E9
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040F9FA
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040FA0B
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040FA1C
FreeLibrary.KERNEL32(00000000), ref: 0040FA3C

Strings

EnumProcesses, xrefs: 0040FA05
EnumProcessModules, xrefs: 0040F9E3
GetModuleInformation, xrefs: 0040FA16
GetModuleBaseNameA, xrefs: 0040F9D2
psapi.dll, xrefs: 0040F9BA
GetModuleFileNameExA, xrefs: 0040F9F4

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
Instruction ID: b0622ab91b6b15bab8cd8e6e0f6310f6235a52dd738245c008a901a401bb443a
Opcode Fuzzy Hash: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
Instruction Fuzzy Hash: C6017574A41315ABDB31DB256D41F6B2DE49786B41B100037F808F16A5E7B8D806CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 00442F98, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5

Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

strlen.MSVCRT ref: 00442FBF
??2@YAPAXI@Z.MSVCRT ref: 00442FCF
memset.MSVCRT ref: 0044301B
memset.MSVCRT ref: 00443038
_mbscpy.MSVCRT ref: 00443066
RegCloseKey.ADVAPI32(?), ref: 004430AA
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 004430FB
LocalFree.KERNEL32(?), ref: 00443110
??3@YAXPAX@Z.MSVCRT ref: 00443119

Part of subcall function 0040710B: strtoul.MSVCRT ref: 00407113

Strings

Software\Microsoft\Windows Live Mail, xrefs: 0044305A
Salt, xrefs: 00443094
Software\Microsoft\Windows Mail, xrefs: 0044304E

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
API String ID: 665470638-2687544566
Opcode ID: c7be1d339a6f71acec12681967ad21d50f91be88715435c981d713b1c9f5c6b3
Instruction ID: f7bf93f0836b67bba3c835e38737b5ae5122e901c23063e01546d75898481f5a
Opcode Fuzzy Hash: c7be1d339a6f71acec12681967ad21d50f91be88715435c981d713b1c9f5c6b3
Instruction Fuzzy Hash: F7417676C0411CAEDB11DFE4DC81EDEBBBCAF49314F1441ABE644E3242DA349A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F177, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
memset.MSVCRT ref: 0040F1BF
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F1EC
RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F215
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F28E
LocalFree.KERNEL32(?), ref: 0040F2A1
RegCloseKey.ADVAPI32(?), ref: 0040F2AC
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
RegCloseKey.ADVAPI32(?), ref: 0040F2D4

Strings

Creds, xrefs: 0040F199
ps:password, xrefs: 0040F206
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040F18C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
API String ID: 551151806-1288872324
Opcode ID: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
Instruction ID: 6090246ec9a09cf2b7bf1ee2c59d5b558b26d9adbf6fbfd3eb8a6f02fd62f1f0
Opcode Fuzzy Hash: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
Instruction Fuzzy Hash: D7413ABA900209AFDF21DF95DC44EEFBBBCEF49704F0000B6F905E2151DA349A548B64

Uniqueness

Uniqueness Score: -1.00%

Function 00403E83, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB

memset.MSVCRT ref: 00403EBB
memset.MSVCRT ref: 00403ECF
memset.MSVCRT ref: 00403EE3
sprintf.MSVCRT ref: 00403F04
_mbscpy.MSVCRT ref: 00403F20
sprintf.MSVCRT ref: 00403F57
sprintf.MSVCRT ref: 00403F88

Strings

<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F82
<table dir="rtl"><tr><td>, xrefs: 00403F1A
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E93
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F32
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403EFE

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memsetsprintf$FileWrite_mbscpystrlen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 113626815-1670831295
Opcode ID: e988a86f96cb0b35651706e8a54da2f8db7d6407d8c8c481c34fbc63b9ba1f92
Instruction ID: 806bb3af6c01162091129d7dbd14bcfdd9389eda619bfd821539a1a2e53cd61a
Opcode Fuzzy Hash: e988a86f96cb0b35651706e8a54da2f8db7d6407d8c8c481c34fbc63b9ba1f92
Instruction Fuzzy Hash: 553187B2944218BAEB10EB95CC41FDF77ACEB44305F1040ABF609A3141DE789F988B69

Uniqueness

Uniqueness Score: -1.00%

Function 00406B9A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00406BA4

Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1

GetFileSize.KERNEL32(00000000,00000000), ref: 00406BC1
GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406BD2
GlobalFix.KERNEL32(00000000), ref: 00406BDF
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BF2
GlobalUnWire.KERNEL32(00000000), ref: 00406C01
SetClipboardData.USER32(00000001,00000000), ref: 00406C0A
GetLastError.KERNEL32 ref: 00406C12
CloseHandle.KERNEL32(?), ref: 00406C1E
GetLastError.KERNEL32 ref: 00406C29
CloseClipboard.USER32 ref: 00406C32

Strings

t, xrefs: 00406C12, 00406C29

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
String ID: t
API String ID: 2565263379-2238339752
Opcode ID: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
Instruction ID: 428d7c431cb1422a1915013c6704b220f4cf118cce9454ff27e0024ace88079b
Opcode Fuzzy Hash: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
Instruction Fuzzy Hash: E2114239904605FFEF105FA4DC4CB9E7FB8EB46755F104035F542E1192DB7489508A69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F928, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040F798), ref: 0040F937
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040F950
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040F961
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040F972
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040F983
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040F994

Strings

CreateToolhelp32Snapshot, xrefs: 0040F94A
Module32First, xrefs: 0040F95B
Process32Next, xrefs: 0040F98E
Process32First, xrefs: 0040F97D
kernel32.dll, xrefs: 0040F932
Module32Next, xrefs: 0040F96C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
Instruction ID: d70ca51da7794723d6fdd3b52e2ca510f6325bc6d96353a7ae51ff6a4d6706bc
Opcode Fuzzy Hash: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
Instruction Fuzzy Hash: E5F03674641716BEE7219B35EC41F6B2DA8B786B817150037E404F1295EBBCD406CBEE

Uniqueness

Uniqueness Score: -1.00%

Function 004045D6, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00404651: FreeLibrary.KERNEL32(?,004045DE,?,0040F07D,?,00000000), ref: 00404658

LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C

Strings

CredEnumerateA, xrefs: 00404616
CredReadA, xrefs: 004045F6
CredFree, xrefs: 004045FE
CredDeleteA, xrefs: 0040460A
CredEnumerateW, xrefs: 00404622
advapi32.dll, xrefs: 004045DE

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
Instruction ID: e667573ab02a3a36113e5811d7d9d25958220871e4fc9ad39742c7b975dc30ca
Opcode Fuzzy Hash: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
Instruction Fuzzy Hash: 32012CB49007009ADB30AF759809B46BAE0EF9A705B224C2FE295A3691E77ED440CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00404217, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0040424C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404293
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042A7
_mbscpy.MSVCRT ref: 004042B7
_mbscpy.MSVCRT ref: 004042CA
strchr.MSVCRT ref: 004042D8
strlen.MSVCRT ref: 004042EC
sprintf.MSVCRT ref: 0040430D
strchr.MSVCRT ref: 0040431E

Strings

%s@gmail.com, xrefs: 00404307
www.google.com, xrefs: 00404246

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
String ID: %s@gmail.com$www.google.com
API String ID: 3866421160-4070641962
Opcode ID: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
Instruction ID: 638e790b5603b8fd8804fb5d4b15941c8435a10b684d18614d662d2844f21a3d
Opcode Fuzzy Hash: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
Instruction Fuzzy Hash: A53195B290421CBFEB11DB91DC81FDAB36CEB44314F1005A7F708F2181DA78AF558A59

Uniqueness

Uniqueness Score: -1.00%

Function 004094A2, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 004094BA
_mbscpy.MSVCRT ref: 004094CA

Part of subcall function 0040907D: memset.MSVCRT ref: 004090A2
Part of subcall function 0040907D: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,?,00001000,00451200), ref: 004090C6
Part of subcall function 0040907D: WritePrivateProfileStringA.KERNEL32(00451308,?,?,00451200), ref: 004090DD

EnumResourceNamesA.KERNEL32(?,00000004,Function_000092CB,00000000), ref: 00409500
EnumResourceNamesA.KERNEL32(?,00000005,Function_000092CB,00000000), ref: 0040950A
_mbscpy.MSVCRT ref: 00409512
memset.MSVCRT ref: 0040952E
LoadStringA.USER32(?,00000000,?,00001000), ref: 00409542

Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C

Strings

strings, xrefs: 0040950C
general, xrefs: 004094BF
TranslatorURL, xrefs: 004094E0
TranslatorName, xrefs: 004094D5

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
String ID: TranslatorName$TranslatorURL$general$strings
API String ID: 1035899707-3647959541
Opcode ID: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
Instruction ID: 9dc8dfcbefe26b31ead3ecdd6c1d49ac828ce4ba7b4c08f8d1d1c72bb5e2ee9a
Opcode Fuzzy Hash: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
Instruction Fuzzy Hash: A6112B7190025476F73127169C06FDB3E5CDF86B96F00407BBB08B61D3C6B94D40866D

Uniqueness

Uniqueness Score: -1.00%

Function 004106AD, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00410720

Strings

Favorites, xrefs: 004106DF
Programs, xrefs: 004106E6
AppData, xrefs: 00410705
Desktop, xrefs: 004106CA
Common Programs, xrefs: 0041071A
Startup, xrefs: 004106D8
Start Menu, xrefs: 004106D1
Common Start Menu, xrefs: 004106ED
Common Desktop, xrefs: 0041070C
Common Startup, xrefs: 00410713

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 714388716-318151290
Opcode ID: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
Instruction ID: 9896847eb90bf5c4294a3c9dccddd80cbc36a64f1d49de08ffe9e6d9729d10b2
Opcode Fuzzy Hash: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
Instruction Fuzzy Hash: 5CF054B1BA870D60343C0528088EAF715009463B453764627F222E05DECEEDBCD26C0F

Uniqueness

Uniqueness Score: -1.00%

Function 0040DEF0, Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

_strnicmp.MSVCRT ref: 0040DF1F
_strnicmp.MSVCRT ref: 0040DF44
memset.MSVCRT ref: 0040DF8D
memset.MSVCRT ref: 0040DFA3
sprintf.MSVCRT ref: 0040DFC2
sprintf.MSVCRT ref: 0040DFE1
_strcmpi.MSVCRT ref: 0040E000
_strcmpi.MSVCRT ref: 0040E022

Part of subcall function 004012EE: strlen.MSVCRT ref: 004012FB

Strings

imap://%s@%s, xrefs: 0040DFDB
mailbox://, xrefs: 0040DF19
mailbox://%s@%s, xrefs: 0040DFBC
imap://, xrefs: 0040DF3E

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _strcmpi_strnicmpmemsetsprintf$strlen
String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
API String ID: 2360744853-2229823034
Opcode ID: 6cd9f616e22569c22ee97f1c282593b0608afcf1e5c6b77fef8cec6df374adea
Instruction ID: 5d143ff0da15214bab7bb06cf5d8f907292877c2fd7590e182fa264530f008e8
Opcode Fuzzy Hash: 6cd9f616e22569c22ee97f1c282593b0608afcf1e5c6b77fef8cec6df374adea
Instruction Fuzzy Hash: 934185726053059FE724DEA5C881F9673E8EF04304F10497BF64AE3281DB78F9588B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402C4F, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424

memset.MSVCRT ref: 00402C8F

Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA

RegCloseKey.ADVAPI32(?), ref: 00402D91

Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC

memset.MSVCRT ref: 00402CE9
sprintf.MSVCRT ref: 00402D02
sprintf.MSVCRT ref: 00402D40

Part of subcall function 00402BC3: memset.MSVCRT ref: 00402BE3
Part of subcall function 00402BC3: RegCloseKey.ADVAPI32 ref: 00402C47

Strings

%s\%s, xrefs: 00402CB1, 00402D00, 00402D3E
Username, xrefs: 00402CC2
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00402CEE
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00402D2C
Identities, xrefs: 00402C5D

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Closememset$sprintf$EnumOpen
String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
API String ID: 1831126014-3814494228
Opcode ID: 68836d752764ed395c939e698c27d7ced96b5c8b84be7de8b5e82d7aea7963ed
Instruction ID: 1b5601e0499ef747dd56af052f35eddfd4da5329eef37c5f4f36e35d9cf9c12c
Opcode Fuzzy Hash: 68836d752764ed395c939e698c27d7ced96b5c8b84be7de8b5e82d7aea7963ed
Instruction Fuzzy Hash: 0831507290011CBAEF11EA91CC46FEF777CAF04305F0404BABA04B2192E7B59F948B64

Uniqueness

Uniqueness Score: -1.00%

Function 004092CB, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 86windowCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 004092EC
LoadMenuA.USER32(?,?), ref: 004092FA

Part of subcall function 00409123: GetMenuItemCount.USER32(?), ref: 00409138
Part of subcall function 00409123: memset.MSVCRT ref: 00409159
Part of subcall function 00409123: GetMenuItemInfoA.USER32 ref: 00409194
Part of subcall function 00409123: strchr.MSVCRT ref: 004091AB

DestroyMenu.USER32(00000000), ref: 00409318
sprintf.MSVCRT ref: 0040935C
CreateDialogParamA.USER32(?,00000000,00000000,004092C6,00000000), ref: 00409371
memset.MSVCRT ref: 0040938D
GetWindowTextA.USER32(00000000,?,00001000), ref: 0040939E

Strings

dialog_%d, xrefs: 00409352
menu_%d, xrefs: 004092E2
caption, xrefs: 004093B3

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemsetsprintf$CountCreateDestroyDialogInfoLoadParamTextWindowstrchr
String ID: caption$dialog_%d$menu_%d
API String ID: 3071497004-3822380221
Opcode ID: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
Instruction ID: 4880027b7f24484a0daf4b70c4ca19663393d93293db39a52c89ae2e2b3c84be
Opcode Fuzzy Hash: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
Instruction Fuzzy Hash: 0121E472500248BBEB21AF509C45EEF3768FB4A715F14007BFE01A11D2D6B85D548F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA44, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0040FA5C
_mbscpy.MSVCRT ref: 0040FA6A

Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603

_mbscpy.MSVCRT ref: 0040FABA
_mbscat.MSVCRT ref: 0040FAC5
memset.MSVCRT ref: 0040FAA1

Part of subcall function 00406EF9: GetWindowsDirectoryA.KERNEL32(004517B0,00000104,?,0040FAFA,00000000,?,00000000,00000104,00000104), ref: 00406F0E
Part of subcall function 00406EF9: _mbscpy.MSVCRT ref: 00406F1E

memset.MSVCRT ref: 0040FAE9
memcpy.MSVCRT ref: 0040FB04
_mbscat.MSVCRT ref: 0040FB0F

Strings

\systemroot, xrefs: 0040FA77

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
String ID: \systemroot
API String ID: 912701516-1821301763
Opcode ID: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
Instruction ID: 2dd3a797b17f22995e4c1cf65abf5f7fbb47152c003677c6e5f404f17f2ef451
Opcode Fuzzy Hash: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
Instruction Fuzzy Hash: 92210A7550C20469F734E2618C82FEB76EC9B55708F10007FF289E14C1EEBCA9884A6A

Uniqueness

Uniqueness Score: -1.00%

Function 00405E41, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00405E58
GetWindow.USER32(?,00000005), ref: 00405E70
GetWindow.USER32(00000000), ref: 00405E73

Part of subcall function 004015AF: GetWindowRect.USER32(?,?), ref: 004015BE
Part of subcall function 004015AF: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015D9

GetWindow.USER32(00000000,00000002), ref: 00405E7F
GetDlgItem.USER32(?,000003ED), ref: 00405E96
GetDlgItem.USER32(?,00000000), ref: 00405EA8
GetDlgItem.USER32(?,00000000), ref: 00405EBA
GetDlgItem.USER32(?,000003ED), ref: 00405EC8
SetFocus.USER32(00000000), ref: 00405ECB

Strings

u, xrefs: 00405ECB

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Window$Item$Rect$ClientFocusPoints
String ID: u
API String ID: 2432066023-4067256894
Opcode ID: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
Instruction ID: 4031fba040b0e189dacc9fafa17b87c2e22a92f85e78ae2064a779fcc19fa509
Opcode Fuzzy Hash: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
Instruction Fuzzy Hash: AE01E571500708AFDB112B62DC89E6BBFACEF81324F11442BF5449B252DBB8E8008E28

Uniqueness

Uniqueness Score: -1.00%

Function 00406625, Relevance: 16.7, APIs: 7, Strings: 4, Instructions: 205COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406650

Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE

memcpy.MSVCRT ref: 00406719
memcpy.MSVCRT ref: 00406731
memcpy.MSVCRT ref: 0040674A
memcmp.MSVCRT ref: 004067EB
memcpy.MSVCRT ref: 0040680F
memcpy.MSVCRT ref: 00406827

Strings

SELECT a11,a102 FROM nssPrivate, xrefs: 0040677A
C@, xrefs: 00406625
key4.db, xrefs: 00406632
SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 0040668D

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy$memcmpmemsetstrlen
String ID: C@$SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
API String ID: 2950547843-1835927508
Opcode ID: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
Instruction ID: 4af0f314ee18ccde9e1bafe1ac3c0a9422d02a762a4adf5b984e4b61dd213191
Opcode Fuzzy Hash: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
Instruction Fuzzy Hash: A961CA72A00218AFDB10EF75DC81BAE73A8AF04318F12457BF915E7281D678EE548799

Uniqueness

Uniqueness Score: -1.00%

Function 00402FCD, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424

memset.MSVCRT ref: 00403010

Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA

memset.MSVCRT ref: 0040305D
sprintf.MSVCRT ref: 00403075
memset.MSVCRT ref: 004030A6
RegCloseKey.ADVAPI32(?), ref: 004030EE
RegCloseKey.ADVAPI32(?), ref: 00403117

Strings

Software\IncrediMail\Identities, xrefs: 00402FDE
Identity, xrefs: 00403036
%s\Accounts, xrefs: 0040306F

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$Close$EnumOpensprintf
String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
API String ID: 3672803090-3168940695
Opcode ID: 7c98ea0b3754888334cffa6cf5d7d188fa79ef3fb5e75e3e96ead78b92b55a2f
Instruction ID: 39077b7eb5a2e68ecd5ff501a3ad8ea0a91829c9588d8d8ee698511e4ba158b1
Opcode Fuzzy Hash: 7c98ea0b3754888334cffa6cf5d7d188fa79ef3fb5e75e3e96ead78b92b55a2f
Instruction Fuzzy Hash: EE3130B580021CFBDB11EB91CC82EEEBB7CAF15305F0041B6BA08A1152E7799F949F95

Uniqueness

Uniqueness Score: -1.00%

Function 00405BBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00405BCE
??3@YAXPAX@Z.MSVCRT ref: 00405BEA
??2@YAPAXI@Z.MSVCRT ref: 00405C11
memset.MSVCRT ref: 00405C22
??2@YAPAXI@Z.MSVCRT ref: 00405C51
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405C9E
SetFocus.USER32(?,?,?,?), ref: 00405CA7
??3@YAXPAX@Z.MSVCRT ref: 00405CB5

Strings

u, xrefs: 00405CA7

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID: u
API String ID: 2313361498-4067256894
Opcode ID: 6f0e433ce69856a90d638de5f69032b71c8054c54d3c4ca0034aaabced9ba3f5
Instruction ID: 8a5161a197c3c11310b51994d494e99affbcf27179d68dd4cd1e15cf4b4d4d3b
Opcode Fuzzy Hash: 6f0e433ce69856a90d638de5f69032b71c8054c54d3c4ca0034aaabced9ba3f5
Instruction Fuzzy Hash: 0431B471500605AFEB249F69C845D2AF7A8FF043547148A3FF219E72A1DB78EC508B54

Uniqueness

Uniqueness Score: -1.00%

Function 00408C8C, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00408CA2
memset.MSVCRT ref: 00408CC6
GetMenuItemInfoA.USER32(?), ref: 00408CFC
memset.MSVCRT ref: 00408D29
strchr.MSVCRT ref: 00408D35
_mbscat.MSVCRT ref: 00408D90
ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00408DAC

Strings

0, xrefs: 00408CE1
6, xrefs: 00408CEC

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
String ID: 0$6
API String ID: 3540791495-3849865405
Opcode ID: 74127b3a6ace4faeac3cb74118fb5aab17d7e36bf865af1988a44d13d40aa2ee
Instruction ID: 3c8b7fd7a28504c7ca875bf426ab9eeebffe21bfd5384a9a2131e9ee4f2c6c2c
Opcode Fuzzy Hash: 74127b3a6ace4faeac3cb74118fb5aab17d7e36bf865af1988a44d13d40aa2ee
Instruction Fuzzy Hash: CB31AD72408384AFD7209F91D940A9BBBE9EF84354F04493FFAC4A2291D778D9548F6A

Uniqueness

Uniqueness Score: -1.00%

Function 00404A94, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
FreeLibrary.KERNEL32(00000000), ref: 00404AD9
7078DB20.COMCTL32 ref: 00404AE7
MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04

Strings

Error, xrefs: 00404AF9
comctl32.dll, xrefs: 00404A9C
Error: Cannot load the common control classes., xrefs: 00404AFE
InitCommonControlsEx, xrefs: 00404ABF

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Library$7078AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2661263322-317687271
Opcode ID: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
Instruction ID: 36f372293bcd99ea712e996d8bb82ea6b99e6deebf99936071b003413e9982ca
Opcode Fuzzy Hash: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
Instruction Fuzzy Hash: 860149797516103BEB115BB19C49F7FBAACDB8674AF010035F602F2182DEBCC9018A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00418FCA, Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 319COMMON

Download Yara Rule

APIs

Part of subcall function 004128D6: strlen.MSVCRT ref: 004128E4

memcpy.MSVCRT ref: 00419165
memcpy.MSVCRT ref: 00419184
memcpy.MSVCRT ref: 00419196
memcpy.MSVCRT ref: 004191AE
memcpy.MSVCRT ref: 004191CB
memcpy.MSVCRT ref: 004191E3

Strings

-journal, xrefs: 004191A8
nolock, xrefs: 0041927B
immutable, xrefs: 00419294
-wal, xrefs: 004191DD

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy$strlen
String ID: -journal$-wal$immutable$nolock
API String ID: 2619041689-3408036318
Opcode ID: b4afe22544acede0a86ca576d850925b04083d6883ca1ee22da99f70356edf55
Instruction ID: 01a3cfc3161f2179d827f175e8c33b529befff994fa447307002f7c0b3a07cf5
Opcode Fuzzy Hash: b4afe22544acede0a86ca576d850925b04083d6883ca1ee22da99f70356edf55
Instruction Fuzzy Hash: C7C1F372A04606AFDB14DFA9C841BDEFFB0BF44314F14825EE428E7281D778A994CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004019E9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004019F5
abs.MSVCRT ref: 00401AF5
abs.MSVCRT ref: 00401B2C
log.MSVCRT ref: 00401BDB
log.MSVCRT ref: 00401BED
??3@YAXPAX@Z.MSVCRT ref: 00401C0E
??3@YAXPAX@Z.MSVCRT ref: 00401C22

Strings

, xrefs: 00401A23

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??3@$strlen
String ID:
API String ID: 4288758904-3916222277
Opcode ID: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
Instruction ID: 24b34d1c19d378cbc4a311a34392409bda21909db6314ed607bd163125115c99
Opcode Fuzzy Hash: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
Instruction Fuzzy Hash: 6A61873440D782DFDB609F25948006BBBF0FB89315F54593FF5D2A22A1D739984ACB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00408458, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C

wcslen.MSVCRT ref: 004084C2
_wcsncoll.MSVCRT ref: 00408506
memset.MSVCRT ref: 0040859A
memcpy.MSVCRT ref: 004085BE
wcschr.MSVCRT ref: 00408612
LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040863C

Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795

Strings

J, xrefs: 00408540
Microsoft_WinInet, xrefs: 004084B6

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: AddressProc$FreeLibrary$LoadLocal_wcsncollmemcpymemsetwcschrwcslen
String ID: J$Microsoft_WinInet
API String ID: 1371990430-260894208
Opcode ID: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
Instruction ID: daadb017bf7cdd7d7f2103bea61dec75ef30dccaf082131e005dcc9144427660
Opcode Fuzzy Hash: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
Instruction Fuzzy Hash: D55115B1508346AFD720DF65C980A5BB7E8FF89304F00492EF998D3251EB39E918CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004057FC, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 126windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405813
SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 0040582C
SendMessageA.USER32(?,00001036,00000000,00000026), ref: 00405839
SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405845
memset.MSVCRT ref: 004058AF
SendMessageA.USER32(?,00001019,?,?), ref: 004058E0
SetFocus.USER32(?), ref: 00405965

Strings

u, xrefs: 00405965

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: MessageSend$FocusItemmemset
String ID: u
API String ID: 4281309102-4067256894
Opcode ID: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
Instruction ID: b1c021a56b4f7756f2b42baa300122e183270d3e6e7f1cb1ff0d1441efe58172
Opcode Fuzzy Hash: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
Instruction Fuzzy Hash: 98411BB5D00109AFEB209F95DC81DAEBBB9FF04354F00406AE914B72A1D7759E50CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041025A, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0041028B
UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
memcpy.MSVCRT ref: 004102D6

Strings

417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 00410293
220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041027F
220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410272
220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410286

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FromStringUuid$memcpy
String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
API String ID: 2859077140-2022683286
Opcode ID: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
Instruction ID: e4eb6b96217285778323d40e2be480743d786dbe6d4556737564963462aa5f63
Opcode Fuzzy Hash: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
Instruction Fuzzy Hash: CC116D7290012EABDF11DEA4DC85EEB37ACEB49354F050423FD41E7201E6B8DD848BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00406A1A, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406A3F
FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406A5D
strlen.MSVCRT ref: 00406A6A
_mbscpy.MSVCRT ref: 00406A7A
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406A84
_mbscpy.MSVCRT ref: 00406A94

Strings

Unknown Error, xrefs: 00406A8C
netmsg.dll, xrefs: 00406A3A

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
String ID: Unknown Error$netmsg.dll
API String ID: 2881943006-572158859
Opcode ID: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
Instruction ID: d85fce99d4424776e4d89386e5c8d6134dfcbe96067fcf7c7fc9c3f577b26335
Opcode Fuzzy Hash: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
Instruction Fuzzy Hash: 0801F7316001147FEB147B51EC46F9F7E28EB06791F21407AFA06F0091DA795E209AAC

Uniqueness

Uniqueness Score: -1.00%

Function 004093DD, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23

_mbscpy.MSVCRT ref: 004093F7
_mbscpy.MSVCRT ref: 00409407
GetPrivateProfileIntA.KERNEL32(00451308,rtl,00000000,00451200), ref: 00409418

Part of subcall function 00408FE9: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,00451358,?,00451200), ref: 00409004

Strings

rtl, xrefs: 00409412
general, xrefs: 004093FC
TranslatorURL, xrefs: 00409450
charset, xrefs: 00409426
TranslatorName, xrefs: 0040943C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: PrivateProfile_mbscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 888011440-2039793938
Opcode ID: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
Instruction ID: 0b3e14b162d046b550c41b249f06feb679facb3af2f7b05e7ff0b413a15a09bb
Opcode Fuzzy Hash: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
Instruction Fuzzy Hash: C6F09621F8435136FB203B325C03F2E29488BD2F56F1640BFBD08B65D3DAAD8811559E

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF2E, Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042E006
memset.MSVCRT ref: 0042E045

Strings

out of memory, xrefs: 0042E235
cannot ATTACH database within transaction, xrefs: 0042DFAC
unable to open database: %s, xrefs: 0042E21C
too many attached databases - max %d, xrefs: 0042DF97
database is already attached, xrefs: 0042E0DD
database %s is already in use, xrefs: 0042E014
attached databases must use the same text encoding as main database, xrefs: 0042E12C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: 6ddab01290ce87d8ebd2da98a857a844c731627c1ed98d62f1e76250c556fc69
Instruction ID: c7e7a29d1825d2e945301ab40bb758a3ed070f64a4837571caa387bbb47581b8
Opcode Fuzzy Hash: 6ddab01290ce87d8ebd2da98a857a844c731627c1ed98d62f1e76250c556fc69
Instruction Fuzzy Hash: BFA1BC70608311DFD720DF2AE441A6BBBE4BF88318F54492FF48987252D778E945CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00409989, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA

??2@YAPAXI@Z.MSVCRT ref: 004099C0
??2@YAPAXI@Z.MSVCRT ref: 004099DC
memcpy.MSVCRT ref: 00409A04
memcpy.MSVCRT ref: 00409A21
??2@YAPAXI@Z.MSVCRT ref: 00409AAA
??2@YAPAXI@Z.MSVCRT ref: 00409AB4
??2@YAPAXI@Z.MSVCRT ref: 00409AEC

Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F

Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0

Strings

d, xrefs: 00409ACB
$, xrefs: 00409A74

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
String ID: $$d
API String ID: 2915808112-2066904009
Opcode ID: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
Instruction ID: c499689f9fa1b304e99f77f7c015d52b7a22264b22564a6ed79451bf6b5d1632
Opcode Fuzzy Hash: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
Instruction Fuzzy Hash: A6513B71601704AFD724DF69C582B9AB7F4BF48354F10892EE65ADB282EB74A940CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00403158, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040312A: GetPrivateProfileStringA.KERNEL32(00000000,?,0044551F,?,?,?), ref: 0040314E

strchr.MSVCRT ref: 0040326D

Strings

LoginName, xrefs: 004031D6
PopServer, xrefs: 004031BA
RealName, xrefs: 004031EC
PopAccount, xrefs: 00403258
1, xrefs: 0040319B
SavePasswordText, xrefs: 0040321D
UsesIMAP, xrefs: 0040317A
ReturnAddress, xrefs: 00403205

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringstrchr
String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
API String ID: 1348940319-1729847305
Opcode ID: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
Instruction ID: ebc3817507c74d0428b70d6b21ed795ce2a60aa758e9561c8f94ff6eeee5590f
Opcode Fuzzy Hash: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
Instruction Fuzzy Hash: 4A318F7090420ABEEF219F60CC45BD9BFACEF14319F10816AF9587A1D2D7B89B948B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041096F, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041099F
memcpy.MSVCRT ref: 004109C5
memcpy.MSVCRT ref: 004109DD

Strings

°, xrefs: 004109B2
<, xrefs: 00410980
>, xrefs: 0041098C
", xrefs: 00410999
&, xrefs: 004109BF
<br>, xrefs: 004109D7

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
Instruction ID: 3875996c88d7773ad821c0e973cab4ee718d2e20412430da402bf8ed1fec6725
Opcode Fuzzy Hash: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
Instruction Fuzzy Hash: DF01D4F7EE469869FB3100094C23FEB4A8947A7720F360027F98525283A0CD0CD3429F

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2E4, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66

memset.MSVCRT ref: 0040F396
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040F3AD
_strnicmp.MSVCRT ref: 0040F3C7
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F3F3
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F413

Strings

WindowsLive:name=*, xrefs: 0040F30B, 0040F342
windowslive:name=, xrefs: 0040F3C1

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$Version_strnicmpmemset
String ID: WindowsLive:name=*$windowslive:name=
API String ID: 945165440-3589380929
Opcode ID: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
Instruction ID: 060cf85e61608373f285e6b38907096c177b9006a2a87b36be12541c3eea0e32
Opcode Fuzzy Hash: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
Instruction Fuzzy Hash: 034157B1408345AFD720DF24D88496BBBE8FB95314F004A3EF995A3691D734ED48CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004036D7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004101D8: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
Part of subcall function 004101D8: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
Part of subcall function 004101D8: memcpy.MSVCRT ref: 00410238

strchr.MSVCRT ref: 00403711
_mbscpy.MSVCRT ref: 0040373A
_mbscpy.MSVCRT ref: 0040374A
strlen.MSVCRT ref: 0040376A
sprintf.MSVCRT ref: 0040378E
_mbscpy.MSVCRT ref: 004037A4

Strings

%s@gmail.com, xrefs: 00403788

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
String ID: %s@gmail.com
API String ID: 500647785-4097000612
Opcode ID: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
Instruction ID: 72ede288a24c3b6660e37d3abac1967f853eec84a0165e1bcd054a17ec7f23cd
Opcode Fuzzy Hash: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
Instruction Fuzzy Hash: 6F21ABF290411C6AEB11DB54DCC5FDAB7BCAB54308F0445AFF609E2181DA789B888B65

Uniqueness

Uniqueness Score: -1.00%

Function 00409213, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409239
GetDlgCtrlID.USER32(?), ref: 00409244
GetWindowTextA.USER32(?,?,00001000), ref: 00409257
memset.MSVCRT ref: 0040927D
GetClassNameA.USER32(?,?,000000FF), ref: 00409290
_strcmpi.MSVCRT ref: 004092A2

Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C

Strings

sysdatetimepick32, xrefs: 0040929C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
String ID: sysdatetimepick32
API String ID: 3411445237-4169760276
Opcode ID: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
Instruction ID: a0e2247af9db09d92512eaab276e72a1f93a19cb85935bad7b90667d70954a25
Opcode Fuzzy Hash: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
Instruction Fuzzy Hash: 32110A728050187FEB119754DC41EEB77ACEF55301F0000FBFA04E2142EAB48E848B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE9E, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54fileclipboardCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040BEB8
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BECA
GetTempFileNameA.KERNEL32(?,00446634,00000000,?), ref: 0040BEEC
OpenClipboard.USER32(?), ref: 0040BF0C
GetLastError.KERNEL32 ref: 0040BF25
DeleteFileA.KERNEL32(00000000), ref: 0040BF42

Strings

t, xrefs: 0040BF25

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
String ID: t
API String ID: 2014771361-2238339752
Opcode ID: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
Instruction ID: 907fbb9bc954c15d9eb0ad6f98a85717611d4d669dd49ad048df0fde8b6b2f4b
Opcode Fuzzy Hash: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
Instruction Fuzzy Hash: 5B11A1B6900218ABDF20AB61DC49FDB77BCAB11701F0000B6B685E2092DBB499C48F68

Uniqueness

Uniqueness Score: -1.00%

Function 00405972, Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405A1A
GetDlgItem.USER32(?,000003E9), ref: 00405A2D
GetDlgItem.USER32(?,000003E9), ref: 00405A42
GetDlgItem.USER32(?,000003E9), ref: 00405A5A
EndDialog.USER32(?,00000002), ref: 00405A76
EndDialog.USER32(?,00000001), ref: 00405A89

Part of subcall function 00405723: GetDlgItem.USER32(?,000003E9), ref: 00405731
Part of subcall function 00405723: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405746
Part of subcall function 00405723: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405762

SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AA1
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BAD

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Item$DialogMessageSend
String ID:
API String ID: 2485852401-0
Opcode ID: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
Instruction ID: 8242765b3035aad42ded22ad072fa167e05c4db834e8c53cb5a522b966aec9bd
Opcode Fuzzy Hash: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
Instruction Fuzzy Hash: DC619E70200A05AFDB21AF25C8C6A2BB7A5FF44724F00C23AF955A76D1E778A950CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0EB, Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B138
SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B16D
LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B1A2
LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B1BE
GetSysColor.USER32(0000000F), ref: 0040B1CE
DeleteObject.GDI32(?), ref: 0040B202
DeleteObject.GDI32(00000000), ref: 0040B205
SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B223

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: MessageSend$DeleteImageLoadObject$Color
String ID:
API String ID: 3642520215-0
Opcode ID: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
Instruction ID: 035281c2cfb68a6c78eb86e81ad7e7fbca9e62364f8fd823d381b3cb5a7ebbdd
Opcode Fuzzy Hash: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
Instruction Fuzzy Hash: B7318175280708BFFA316B709C47FD6B795EB48B01F104829F3856A1E2CAF278909B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040690E, Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 85stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406930
strlen.MSVCRT ref: 0040693B
strlen.MSVCRT ref: 0040699D
strlen.MSVCRT ref: 004069AB
strlen.MSVCRT ref: 00406949

Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98

Strings

key3.db, xrefs: 004069A3, 004069A8, 004069B9
C@, xrefs: 00406938
key4.db, xrefs: 00406941, 00406946, 00406957

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: strlen$_mbscat_mbscpymemset
String ID: C@$key3.db$key4.db
API String ID: 581844971-2841947474
Opcode ID: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
Instruction ID: 276f595f6d9fb14d306b90d89522efda4e53a8973e3769554d2ee0aec37c6aae
Opcode Fuzzy Hash: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
Instruction Fuzzy Hash: 5D21F9729041196ADF10AA66DC41FCE77ACDF11319F1100BBF40DF6091EE38DA958668

Uniqueness

Uniqueness Score: -1.00%

Function 0040B86F, Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040B88E
GetWindowRect.USER32(?,?), ref: 0040B8A4
GetWindowRect.USER32(?,?), ref: 0040B8B7
BeginDeferWindowPos.USER32(00000003), ref: 0040B8D4
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B8F1
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B911
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B938
EndDeferWindowPos.USER32(?), ref: 0040B941

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
Instruction ID: cf9ea3ecf4623016fd9dc3f5f3f1318dd3ce101ba80f5eccba740e206150479f
Opcode Fuzzy Hash: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
Instruction Fuzzy Hash: F221C276A00609FFDF118FA8DD89FEEBBB9FB08700F104065FA55A2160C7716A519F24

Uniqueness

Uniqueness Score: -1.00%

Function 00406C3D, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00406C45
strlen.MSVCRT ref: 00406C52
GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C0BB,?), ref: 00406C61
GlobalFix.KERNEL32(00000000), ref: 00406C6E
memcpy.MSVCRT ref: 00406C77
GlobalUnWire.KERNEL32(00000000), ref: 00406C80
SetClipboardData.USER32(00000001,00000000), ref: 00406C89
CloseClipboard.USER32 ref: 00406C99

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
String ID:
API String ID: 2315226746-0
Opcode ID: ee3e5d8b8b8103545cd3f6b58303d98c31de17f75192de6e2f85eb2c234adac6
Instruction ID: 8edcd2d2b4f986e571765b3eebb92d88a59871b3330cf63fe52768e208e874e1
Opcode Fuzzy Hash: ee3e5d8b8b8103545cd3f6b58303d98c31de17f75192de6e2f85eb2c234adac6
Instruction Fuzzy Hash: 23F0E93B5047186BD7102FA1BC4CE6BBB2CDB86F96B050039FA0AD6253DE755C0447B9

Uniqueness

Uniqueness Score: -1.00%

Function 004258DC, Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 438COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00425AA4
memcpy.MSVCRT ref: 00425D08

Strings

out of memory, xrefs: 00425E19
string or blob too big, xrefs: 00425229
abort due to ROLLBACK, xrefs: 00427E1B
statement aborts at %d: [%s] %s, xrefs: 0042525A
unknown error, xrefs: 00426E65

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
API String ID: 1297977491-3883738016
Opcode ID: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
Instruction ID: fc76bc8343265493366407fdb1c4d707e5d8df4650a3499163c8513785776b89
Opcode Fuzzy Hash: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
Instruction Fuzzy Hash: 64128B71A04629DFDB14CF69E481AADBBB1FF08314F54419AE805AB341D738B982CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00411C4E, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00411DA7
__aullrem.LIBCMT ref: 00411DBD
__aulldvrm.LIBCMT ref: 00411E12

Strings

0123456789ABCDEF0123456789abcdef, xrefs: 00411DF3
-, xrefs: 00411CB9
-x0, xrefs: 00411E81

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: __aulldvrm$__aullrem
String ID: -$-x0$0123456789ABCDEF0123456789abcdef
API String ID: 643879872-978417875
Opcode ID: 73e90253892cd7d40fca50a1c2c0480d43455e5e9d4f7039f07d8d475e9bdb23
Instruction ID: 6ef1093ec9221891fb8685c47ab9d8627f9f8a7ffe3427591e5c2e9f96174410
Opcode Fuzzy Hash: 73e90253892cd7d40fca50a1c2c0480d43455e5e9d4f7039f07d8d475e9bdb23
Instruction Fuzzy Hash: A5617C316083819FD7118F2885407ABBBE1AFC6704F18495FFAC497362D379D9898B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7EA, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D80B
memset.MSVCRT ref: 0040D81F
memset.MSVCRT ref: 0040D833

Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603

memcpy.MSVCRT ref: 0040D900
memcpy.MSVCRT ref: 0040D943
memcpy.MSVCRT ref: 0040D960

Strings

user_pref(", xrefs: 0040D869

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpymemset$strlen$_memicmp
String ID: user_pref("
API String ID: 765841271-2487180061
Opcode ID: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
Instruction ID: 5a65487526c3994ab00424e18f338503154a615df115d4cfef8f26f9df640fc7
Opcode Fuzzy Hash: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
Instruction Fuzzy Hash: 7F419AB6904118AEDB10DB95DC81FDA77AC9F44314F1042FBE605F7181EA38AF498FA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A596, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB

_mbscat.MSVCRT ref: 0040A65B
sprintf.MSVCRT ref: 0040A67D

Strings

<tr>, xrefs: 0040A5BB
 , xrefs: 0040A655
<td bgcolor=#%s>%s, xrefs: 0040A5AD
<td bgcolor=#%s nowrap>%s, xrefs: 0040A5A1

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FileWrite_mbscatsprintfstrlen
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 1631269929-4153097237
Opcode ID: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
Instruction ID: 832b2c653fc05485a7f242a7eb3c8d8175a8ee497f4c95e58b3f18e695e9ea43
Opcode Fuzzy Hash: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
Instruction Fuzzy Hash: AE31AE31900218AFDF15DF94C8869DE7BB5FF45320F10416AFD11BB292DB76AA51CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00408B27, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00408BA2

Part of subcall function 00408FB1: _itoa.MSVCRT ref: 00408FD2

strlen.MSVCRT ref: 00408BC0
LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
memcpy.MSVCRT ref: 00408C2F

Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408ACD
Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408AEB
Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B09
Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B19

Strings

strings, xrefs: 00408B98
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408B3B

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
API String ID: 4036804644-4125592482
Opcode ID: 2ef5bdd7b6553c1411f0866e16a237609f5efe4191e7d453619a5ad3a1a82c98
Instruction ID: 2fb35d0cb8d6515d264437a76ba5de351b7eb647a908b3ccb3b2e5853623431c
Opcode Fuzzy Hash: 2ef5bdd7b6553c1411f0866e16a237609f5efe4191e7d453619a5ad3a1a82c98
Instruction Fuzzy Hash: 9F3136B95003019FEB149B18EE40E323776EB59346B14443EF845A72B3DB39E815CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00407E63, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407E84

Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B

Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5

Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00408018,?,000000FD,00000000,00000000,?,00000000,00408018,?,?,?,?,00000000), ref: 00407F1F
LocalFree.KERNEL32(?,?,?,?,?,00000000,75D6ED80,?), ref: 00407F2F

Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D

Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE

Strings

POP3_name, xrefs: 00407F3C
POP3_credentials, xrefs: 00407E94
POP3_host, xrefs: 00407F57

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
String ID: POP3_credentials$POP3_host$POP3_name
API String ID: 524865279-2190619648
Opcode ID: bb8a79189eebe21ea9a309b84d13f13660712c6c97ce44d04bc2eb4e66ed4208
Instruction ID: 2c282e6ff88bd57be97cdb9cd65414afbc0c2375aa853475002addcb7488d922
Opcode Fuzzy Hash: bb8a79189eebe21ea9a309b84d13f13660712c6c97ce44d04bc2eb4e66ed4208
Instruction Fuzzy Hash: 75316075A4025DAFDB11EB69CC81AEEBBBCEF45314F0080B6FA04A3141D6789F498F65

Uniqueness

Uniqueness Score: -1.00%

Function 00409123, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00409138
memset.MSVCRT ref: 00409159
GetMenuItemInfoA.USER32 ref: 00409194
strchr.MSVCRT ref: 004091AB

Strings

6, xrefs: 0040917C
0, xrefs: 00409174

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetstrchr
String ID: 0$6
API String ID: 2300387033-3849865405
Opcode ID: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
Instruction ID: 102fedc8b068d714547c44678b24ea6bae60c59159463c21af6927f9d555436f
Opcode Fuzzy Hash: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
Instruction Fuzzy Hash: B8210F71108380AFE7108F61D889A5FB7E8FB85344F04093FF684A6282E779DD048B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407446, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407466
sprintf.MSVCRT ref: 00407493
strlen.MSVCRT ref: 0040749F
memcpy.MSVCRT ref: 004074B4
strlen.MSVCRT ref: 004074C2
memcpy.MSVCRT ref: 004074D2

Strings

%s (%s), xrefs: 0040748D

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpystrlen$memsetsprintf
String ID: %s (%s)
API String ID: 3756086014-1363028141
Opcode ID: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
Instruction ID: 49fd0969a141bf365c85b2e85b726abfc67c7a4f8a3ab277a670c68284d415ec
Opcode Fuzzy Hash: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
Instruction Fuzzy Hash: 9A1193B1800118AFEB21DF59CD45F99B7ACEF41308F008466FA48EB106D275AB15CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00443683, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1

GetFileSize.KERNEL32(00000000,00000000,?,00000000,.8D,00443752,?,?,*.oeaccount,.8D,?,00000104), ref: 0044369D
??2@YAPAXI@Z.MSVCRT ref: 004436AF
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004436BE

Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306

Part of subcall function 00443546: wcslen.MSVCRT ref: 00443559
Part of subcall function 00443546: ??2@YAPAXI@Z.MSVCRT ref: 00443562
Part of subcall function 00443546: WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
Part of subcall function 00443546: strlen.MSVCRT ref: 004435BE
Part of subcall function 00443546: memcpy.MSVCRT ref: 004435D8
Part of subcall function 00443546: ??3@YAXPAX@Z.MSVCRT ref: 0044366B

??3@YAXPAX@Z.MSVCRT ref: 004436E9
CloseHandle.KERNEL32(?), ref: 004436F3

Strings

.8D, xrefs: 00443683

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
String ID: .8D
API String ID: 1886237854-2881260426
Opcode ID: e9accfc59e3ea295214b65d31af1a641a7a6f9c6ce4573a7963a3bdc594cfe72
Instruction ID: b4a99ca98ea4b9fd05b978b53b3f03ecc28babd8507da3569ede40c7aa85cfb3
Opcode Fuzzy Hash: e9accfc59e3ea295214b65d31af1a641a7a6f9c6ce4573a7963a3bdc594cfe72
Instruction Fuzzy Hash: 42012432804248BFEB206F75EC4ED9FBB6CEF46364B10812BF81487261DA358D14CA28

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6EF, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B70C

Part of subcall function 00406A00: LoadCursorA.USER32(00000000,00007F02), ref: 00406A07
Part of subcall function 00406A00: SetCursor.USER32(00000000), ref: 00406A0E

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B72F

Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B684
Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B6AE
Part of subcall function 0040B65E: _mbscat.MSVCRT ref: 0040B6C1
Part of subcall function 0040B65E: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7

SetCursor.USER32(?,?,0040C8F2), ref: 0040B754
SetFocus.USER32(?,?,?,0040C8F2), ref: 0040B766
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B77D

Strings

u, xrefs: 0040B766

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
String ID: u
API String ID: 2374668499-4067256894
Opcode ID: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
Instruction ID: 612281c0e7bcc4a6d3b4da52a7b96f70e992a4283d6ab6b50bd9db3d0aad170a
Opcode Fuzzy Hash: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
Instruction Fuzzy Hash: 120129B5200A00EFD726AB75CC85FA6B7E9FF48315F0604B9F1199B272CA726D018F14

Uniqueness

Uniqueness Score: -1.00%

Function 00406B15, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00406B25
sprintf.MSVCRT ref: 00406B4D
MessageBoxA.USER32(?,?,Error,00000030), ref: 00406B66

Strings

Error, xrefs: 00406B57
Error %d: %s, xrefs: 00406B47
t, xrefs: 00406B25

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ErrorLastMessagesprintf
String ID: Error$Error %d: %s$t
API String ID: 1670431679-2538549913
Opcode ID: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
Instruction ID: c7de35334a9b91ea45d990eb2cc533a67ee34048a8af2c328f2cc0c5e5106846
Opcode Fuzzy Hash: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
Instruction Fuzzy Hash: BBF0ECBA90010877DB11BB54DC05F9A77FCBB81304F1500B6FA45F2142EE74DA058F99

Uniqueness

Uniqueness Score: -1.00%

Function 00425FE6, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042603C

Strings

abort due to ROLLBACK, xrefs: 00427E1B
cannot open savepoint - SQL statements in progress, xrefs: 00426002
unknown error, xrefs: 00426E65
cannot release savepoint - SQL statements in progress, xrefs: 004260EE
no such savepoint: %s, xrefs: 004260D0

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
API String ID: 3510742995-3035234601
Opcode ID: f891372fe87baf48bda125dec3b2232890a750ac063dfed77912f4c4cabfec4f
Instruction ID: 1b592f7810eb55fdfd9c77514c161e0aeb834189807bd0e5c0ad66af0c508e0f
Opcode Fuzzy Hash: f891372fe87baf48bda125dec3b2232890a750ac063dfed77912f4c4cabfec4f
Instruction Fuzzy Hash: 4CC15B70A04625DFDB18CFA9E485BA9BBB1FF08304F5540AFE405A7392D738A851CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0042AF9D, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 276COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042B023

Strings

GROUP, xrefs: 0042B23F
aggregate functions are not allowed in the GROUP BY clause, xrefs: 0042B2DA
H, xrefs: 0042B121
ORDER, xrefs: 0042B20F
a GROUP BY clause is required before HAVING, xrefs: 0042B2C6

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset
String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-3608744896
Opcode ID: 25f6d7551ca5451081e928a756deb932952f8e5ad15a22f33089aef5e0cd9e28
Instruction ID: 61df25c06be2fd61ed6862701848550dc8e0fb41ea407877f6cf168bc1a83922
Opcode Fuzzy Hash: 25f6d7551ca5451081e928a756deb932952f8e5ad15a22f33089aef5e0cd9e28
Instruction Fuzzy Hash: B5B16671208311DFD720CF29E580A2BB7E5FF98314F91485EF88587692E738E841CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00441E91, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00441F4B

Part of subcall function 00441A6C: memcmp.MSVCRT ref: 00441AB5

Strings

NOCASE, xrefs: 00441FD6
main, xrefs: 004420EC
RTRIM, xrefs: 00441FEA
temp, xrefs: 004420FC
BINARY, xrefs: 00441F9D, 00441FA2, 00441FB2, 00441FC2, 00442008

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcmpmemcpy
String ID: BINARY$NOCASE$RTRIM$main$temp
API String ID: 1784268899-4153596280
Opcode ID: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
Instruction ID: db602eaa8e833254b0c0c9be43f42c24c685b457dfa8f14c56b0ec28138b2128
Opcode Fuzzy Hash: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
Instruction Fuzzy Hash: 5091E2B1900700AFE730AF25C981A9EBBE5AB44304F14492FF14697392C7B9A985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB27, Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040F7DE,00000000,00000000), ref: 0040FB5E
memset.MSVCRT ref: 0040FBBB
memset.MSVCRT ref: 0040FBCD

Part of subcall function 0040FA44: _mbscpy.MSVCRT ref: 0040FA6A

memset.MSVCRT ref: 0040FCB4
_mbscpy.MSVCRT ref: 0040FCD9
CloseHandle.KERNEL32(00000000,0040F7DE,?), ref: 0040FD23

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$_mbscpy$CloseHandleOpenProcess
String ID:
API String ID: 3974772901-0
Opcode ID: 4ad987a4bc41c02407afd48bd51c39f8f43132cb09b5aa7545cf57ad8340978a
Instruction ID: 4cd0dab2c11de29b1205cc267bdcfe4bbed2ca853fb67bca61950d18440e6937
Opcode Fuzzy Hash: 4ad987a4bc41c02407afd48bd51c39f8f43132cb09b5aa7545cf57ad8340978a
Instruction Fuzzy Hash: 79511EB590021CABDB60DF95DD85ADEBBB8FF44305F1000BAE609A2281D7759E84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00443546, Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00443559
??2@YAPAXI@Z.MSVCRT ref: 00443562
WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B

Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 0044288D
Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428AB
Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428C6
Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428EF
Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 00442913

strlen.MSVCRT ref: 004435BE

Part of subcall function 004429E9: ??3@YAXPAX@Z.MSVCRT ref: 004429F4
Part of subcall function 004429E9: ??2@YAPAXI@Z.MSVCRT ref: 00442A03

memcpy.MSVCRT ref: 004435D8
??3@YAXPAX@Z.MSVCRT ref: 0044366B

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
String ID:
API String ID: 577244452-0
Opcode ID: 4370cab8d1ed043324ede4dc3b9a4d06d61cdd8212607e5f6e8765e25bb93f57
Instruction ID: ed198900897cbedb477538fc3de06edee324e7a25cf08c3aedaf46951cf6a217
Opcode Fuzzy Hash: 4370cab8d1ed043324ede4dc3b9a4d06d61cdd8212607e5f6e8765e25bb93f57
Instruction Fuzzy Hash: 14318672804219AFEF21EF65C8819DEBBB5EF45314F5480AAF108A3200CB396F84DF49

Uniqueness

Uniqueness Score: -1.00%

Function 00404469, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE

_strcmpi.MSVCRT ref: 004044FA
_strcmpi.MSVCRT ref: 00404518

Strings

imap, xrefs: 00404512
smtp, xrefs: 0040452F
pop3, xrefs: 004044F4

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _strcmpi$memcpystrlen
String ID: imap$pop3$smtp
API String ID: 2025310588-821077329
Opcode ID: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
Instruction ID: ee17be80c36da3591ff53c386c7625c128025028662cc5e87d89578f4f8b6d75
Opcode Fuzzy Hash: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
Instruction Fuzzy Hash: C42196B25046189BEB51DB15CD417DAB3FCEF90304F10006BE79AB7181DB787B498B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD68, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BD88

Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F

Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0

Part of subcall function 00407446: memset.MSVCRT ref: 00407466
Part of subcall function 00407446: sprintf.MSVCRT ref: 00407493
Part of subcall function 00407446: strlen.MSVCRT ref: 0040749F
Part of subcall function 00407446: memcpy.MSVCRT ref: 004074B4
Part of subcall function 00407446: strlen.MSVCRT ref: 004074C2
Part of subcall function 00407446: memcpy.MSVCRT ref: 004074D2

Part of subcall function 00407279: _mbscpy.MSVCRT ref: 004072DF

Strings

txt, xrefs: 0040BE38, 0040BE3B
*.csv, xrefs: 0040BE03
*.xml, xrefs: 0040BDF7
*.htm;*.html, xrefs: 0040BDCE
*.txt, xrefs: 0040BDA1

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 2726666094-3614832568
Opcode ID: dc175560a6198b9798b44ce5f971e01ac777fcc381b56c1877e1d198c2103063
Instruction ID: 9cc38d581f61d2a6594629c27ef9ad5a8c62d4d42b688fbaa09f609bba3e4d8d
Opcode Fuzzy Hash: dc175560a6198b9798b44ce5f971e01ac777fcc381b56c1877e1d198c2103063
Instruction Fuzzy Hash: 0121FBB1C002599ADB40EFA5D981BDDBBB4AB08308F10517EF548B6281DB382A45CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00403A53, Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403A78
memset.MSVCRT ref: 00403A91
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AA8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AC7
strlen.MSVCRT ref: 00403AD9
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AEA

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidememset$FileWritestrlen
String ID:
API String ID: 1786725549-0
Opcode ID: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
Instruction ID: 3c11530c7ff43e2cab0ee1a3c4b7d34204fc8064c5823527b9b114d7af9e1f20
Opcode Fuzzy Hash: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
Instruction Fuzzy Hash: 50112DBA80412CBFFB10AB94DC85EEBB3ADEF09355F0001A6B715D2092D6359F548B78

Uniqueness

Uniqueness Score: -1.00%

Function 00406113, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00406129

Part of subcall function 00406057: memcmp.MSVCRT ref: 00406075
Part of subcall function 00406057: memcpy.MSVCRT ref: 004060A4
Part of subcall function 00406057: memcpy.MSVCRT ref: 004060B9

memcmp.MSVCRT ref: 00406154
memcmp.MSVCRT ref: 0040617C
memcpy.MSVCRT ref: 00406199

Strings

global-salt, xrefs: 00406174
password-check, xrefs: 0040614C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcmp$memcpy
String ID: global-salt$password-check
API String ID: 231171946-3927197501
Opcode ID: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
Instruction ID: 655c6eb068c7835b63414ef3c9938ae25085d91347c247b77763f6b5778615a8
Opcode Fuzzy Hash: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
Instruction Fuzzy Hash: E301D8B954070466FF202A628C42B8B37585F51758F024137FD067D2D3E37E87748A4E

Uniqueness

Uniqueness Score: -1.00%

Function 00442960, Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0044296E
??3@YAXPAX@Z.MSVCRT ref: 00442989
??3@YAXPAX@Z.MSVCRT ref: 0044299F
??3@YAXPAX@Z.MSVCRT ref: 004429B5
??3@YAXPAX@Z.MSVCRT ref: 004429CB
??3@YAXPAX@Z.MSVCRT ref: 004429E1

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 61b661c510ad4b0743117b2440ebaa6c68aec67bf7d0c3759525eee1844cf9ab
Instruction ID: 5b630ca211e00ee6ab232d4f5fe81ba50f7f923f282134244f429d4b925a3085
Opcode Fuzzy Hash: 61b661c510ad4b0743117b2440ebaa6c68aec67bf7d0c3759525eee1844cf9ab
Instruction Fuzzy Hash: 7501A272E0AD31A7E1257A76554135BE3686F04B29F05024FB904772428B6C7C5445DE

Uniqueness

Uniqueness Score: -1.00%

Function 00401693, Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004016A2
GetSystemMetrics.USER32(00000015), ref: 004016B0
GetSystemMetrics.USER32(00000014), ref: 004016BC
BeginPaint.USER32(?,?), ref: 004016D6
DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E5
EndPaint.USER32(?,?), ref: 004016F2

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
Instruction ID: 724a62348f30ed3062fc78c586e299175c66965872e24402369681ac2eeab922
Opcode Fuzzy Hash: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
Instruction Fuzzy Hash: 0701FB76900619AFDF04DFA8DC499FE7BBDFB45301F00046AEA11AB295DAB1A914CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0040C319, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?,?,?), ref: 0040C3F8
InvalidateRect.USER32(?,00000000,00000000), ref: 0040C4F5

Strings

rY@, xrefs: 0040C51E
XgD, xrefs: 0040C3FE
u, xrefs: 0040C3F8

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FocusInvalidateRect
String ID: XgD$rY@$u
API String ID: 2103766487-1306415738
Opcode ID: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
Instruction ID: f774ea8d8eb1800fd2ad86f321479c1d669f6cdc6fcff53b53818c93aeeaee42
Opcode Fuzzy Hash: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
Instruction Fuzzy Hash: 6F518630A04701DBCB34BB658885D9AB3E0BF51724F44C63FF4656B2E2C779A9818B8D

Uniqueness

Uniqueness Score: -1.00%

Function 004062D9, Relevance: 8.9, APIs: 7, Instructions: 157COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406376
memcpy.MSVCRT ref: 00406389
memcpy.MSVCRT ref: 0040639C

Part of subcall function 00404883: memset.MSVCRT ref: 004048BD
Part of subcall function 00404883: memset.MSVCRT ref: 004048D1
Part of subcall function 00404883: memset.MSVCRT ref: 004048E5
Part of subcall function 00404883: memcpy.MSVCRT ref: 004048F7
Part of subcall function 00404883: memcpy.MSVCRT ref: 00404909

memcpy.MSVCRT ref: 004063E0
memcpy.MSVCRT ref: 004063F3
memcpy.MSVCRT ref: 00406420
memcpy.MSVCRT ref: 00406435

Part of subcall function 0040625B: memcpy.MSVCRT ref: 00406287

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
Instruction ID: a962c966a65fcbb98db0a5903e2df7d2d9caef1a51b72161af640e80cc8fe1a9
Opcode Fuzzy Hash: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
Instruction Fuzzy Hash: 744140B290050DBEEB51DAE8CC41EEFBB7CAB4C704F004476F704F6051E635AA598BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00443E22, Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00443E43
memset.MSVCRT ref: 00443E5C
memset.MSVCRT ref: 00443E70

Part of subcall function 00443946: strlen.MSVCRT ref: 00443953

strlen.MSVCRT ref: 00443E8C
memcpy.MSVCRT ref: 00443EB1
memcpy.MSVCRT ref: 00443EC7

Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8

Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B

memcpy.MSVCRT ref: 00443F07

Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94

Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpymemset$strlen
String ID:
API String ID: 2142929671-0
Opcode ID: 1fb1ec72e13faa5c4450662030dd608fc909945337c7cb58045cb7f4428127cf
Instruction ID: 7aa756fa7cbdb75c5c05895f31091f080fe59031f56f6a961c38bdf577465876
Opcode Fuzzy Hash: 1fb1ec72e13faa5c4450662030dd608fc909945337c7cb58045cb7f4428127cf
Instruction Fuzzy Hash: 5D513BB290011EAADB10EF55CC81AEEB3B9BF44218F5445BAE509E7141EB34AB49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F057, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5

Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C

Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F123
strlen.MSVCRT ref: 0040F133
_mbscpy.MSVCRT ref: 0040F144
LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F151

Strings

Passport.Net\*, xrefs: 0040F099

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
String ID: Passport.Net\*
API String ID: 2329438634-3671122194
Opcode ID: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
Instruction ID: b181dd8ad3303716fcb3fe51c6d72bcd9c0cca2a33dd7682b011125bf867cc1e
Opcode Fuzzy Hash: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
Instruction Fuzzy Hash: B5316D76900109EBDB20EF96DD45EAEB7B9EF85701F0000BAE604E7291D7389A05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004032A9, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00403158: strchr.MSVCRT ref: 0040326D

memset.MSVCRT ref: 004032FD
GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403317
strchr.MSVCRT ref: 0040334C

Part of subcall function 004023D7: _mbsicmp.MSVCRT ref: 0040240F

strlen.MSVCRT ref: 0040338E

Part of subcall function 004023D7: _mbscmp.MSVCRT ref: 004023EB

Strings

Personalities, xrefs: 00403312

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
String ID: Personalities
API String ID: 2103853322-4287407858
Opcode ID: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
Instruction ID: 94df084552130989d7eb446100fdb0be3a34b05fea2c71b6ffce82199638926a
Opcode Fuzzy Hash: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
Instruction Fuzzy Hash: 5921BA71B04158AADB11EF65DC81ADDBB6C9F10309F1400BBFA44F7281DA78DB46866D

Uniqueness

Uniqueness Score: -1.00%

Function 004101D8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
memcpy.MSVCRT ref: 00410238

Strings

00000000-0000-0000-0000-000000000000, xrefs: 004101F7
5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 004101EA

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FromStringUuid$memcpy
String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
API String ID: 2859077140-3316789007
Opcode ID: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
Instruction ID: ae29383cbd57fcea5ed56c9c200a46c16443c4e74b3f506479b718b79cf0bdd8
Opcode Fuzzy Hash: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
Instruction Fuzzy Hash: 1801C43790001CBADF019B94CC40EEB7BACEF4A354F004023FD55D6141E678EA8487A5

Uniqueness

Uniqueness Score: -1.00%

Function 00443A35, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00443A57

Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424

Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3

Strings

Yahoo! User ID, xrefs: 00443A7B
EOptions string, xrefs: 00443A96
Software\Yahoo\Pager, xrefs: 00443A60

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuememset
String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
API String ID: 1830152886-1703613266
Opcode ID: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
Instruction ID: 86b235c3fd45d03c271013e996efd952a38f3d6ae4618920ee3f021b32bc4f63
Opcode Fuzzy Hash: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
Instruction Fuzzy Hash: 500192B6900118BBEB10AA55CD01FAE7A6C9F90715F140076FF08F2212E379DF5587A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BFC7, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BFE7
SetFocus.USER32(?,?), ref: 0040C06F

Part of subcall function 0040BFB1: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040BFC0

Strings

l, xrefs: 0040C017
+_@, xrefs: 0040BFDD
u, xrefs: 0040C06F

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FocusMessagePostmemset
String ID: +_@$l$u
API String ID: 3436799508-1256668747
Opcode ID: 5d19dabe06c04104d03c805a20db61bb7ad0843c3c7d2444441ab514d0ecd962
Instruction ID: dfa99e5f235914639cafa3f1faff2c73f9381d0964b1719e4b49f1177e3774cc
Opcode Fuzzy Hash: 5d19dabe06c04104d03c805a20db61bb7ad0843c3c7d2444441ab514d0ecd962
Instruction Fuzzy Hash: B411A172904198CBDF209B24CC44BCA7BB9AF90304F0900F5A94C7B2D2C7B55E89CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040900D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409031
GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
_mbscpy.MSVCRT ref: 0040906D

Strings

<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 0040901A
{?@ UD, xrefs: 0040900D

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: PrivateProfileString_mbscpymemset
String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>${?@ UD
API String ID: 408644273-2682877464
Opcode ID: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
Instruction ID: 644781a60c69e86f7c2c511092586478b4ed4a6ca21543a67b17e89033411e60
Opcode Fuzzy Hash: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
Instruction Fuzzy Hash: 53F0E9729041987BEB129764EC01FCA77AC9B4974BF1000E6FB49F10C2D5F89EC48AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00408F32, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408F5D
sprintf.MSVCRT ref: 00408F72

Part of subcall function 0040900D: memset.MSVCRT ref: 00409031
Part of subcall function 0040900D: GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
Part of subcall function 0040900D: _mbscpy.MSVCRT ref: 0040906D

SetWindowTextA.USER32(?,?), ref: 00408F99

Strings

dialog_%d, xrefs: 00408F68
caption, xrefs: 00408F7E

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$PrivateProfileStringTextWindow_mbscpysprintf
String ID: caption$dialog_%d
API String ID: 336690586-4161923789
Opcode ID: 000f1f906e92f5b03bb8d936c1600f8ee9725489ffd6e52dafee9c1c18951f52
Instruction ID: 5193b431d0dc7ecedf7a364b2ddef3fe6b5aec68a3d00ff581056cac6fb231a4
Opcode Fuzzy Hash: 000f1f906e92f5b03bb8d936c1600f8ee9725489ffd6e52dafee9c1c18951f52
Instruction Fuzzy Hash: 67F0BB745043487FFB129BA0DD06FC97AA8AB08747F0000A6BB44F11E2DBF899908B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00410909, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,774148C0,00405E9E,00000000), ref: 00410912
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410920
FreeLibrary.KERNEL32(00000000), ref: 00410938

Strings

shlwapi.dll, xrefs: 0041090B
SHAutoComplete, xrefs: 0041091A

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
Instruction ID: 7569959bf229cfaf5f1ab8cb2858e1476927bfd88fe16924fdc565eaa6c9b3dd
Opcode Fuzzy Hash: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
Instruction Fuzzy Hash: 15D05B797006107BFB215735BC08FEF6AE5DFC77527050035F950E1151CB648C42896A

Uniqueness

Uniqueness Score: -1.00%

Function 0043D438, Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 478COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043D4CD
memset.MSVCRT ref: 0043D506
memcpy.MSVCRT ref: 0043D781

Strings

no query solution, xrefs: 0043D81D
, xrefs: 0043D7EB

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID: $no query solution
API String ID: 368790112-326442043
Opcode ID: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
Instruction ID: 5801c9734c6bd427e286c4e355069e6ae2e92931dd4aa2b8c604a71db9229eec
Opcode Fuzzy Hash: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
Instruction Fuzzy Hash: D012AC75D006199FCB24CF99D481AAEF7F1FF08314F14915EE899AB351E338A981CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043000F, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0043011B
memcpy.MSVCRT ref: 0043018C

Strings

unknown column "%s" in foreign key definition, xrefs: 0043027A
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430087
foreign key on %s should reference only one column of table %T, xrefs: 0043005F

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
Instruction ID: b65499b1f20d22348a3d217da3c858198d90c87fbf4aa33eef889ec12c855700
Opcode Fuzzy Hash: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
Instruction Fuzzy Hash: BFA14C75A00209DFCB14CF99D590AAEBBF1FF48304F14869AE805AB312D779EE51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043CB52, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043CB87
memset.MSVCRT ref: 0043CDB9

Strings

H, xrefs: 0043CC3C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset
String ID: H
API String ID: 2221118986-2852464175
Opcode ID: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
Instruction ID: 0231d824907604898156c72f74438a53b00a2a6e63cdef361d574d9feb60fc4e
Opcode Fuzzy Hash: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
Instruction Fuzzy Hash: 9D915775C00219DBDF20CF95C881AAEF7B5FF48304F14949AE959BB241E334AA85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3D8, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 00413185: memcpy.MSVCRT ref: 00413192

memcmp.MSVCRT ref: 0041D435
memcmp.MSVCRT ref: 0041D462
memcmp.MSVCRT ref: 0041D4CE

Strings

@ , xrefs: 0041D4C8
SQLite format 3, xrefs: 0041D456

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcmp$memcpy
String ID: @ $SQLite format 3
API String ID: 231171946-3708268960
Opcode ID: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
Instruction ID: 154dd893183b882ddc8616fc7eef56b16fb129afe1b119523047def7d92feb70
Opcode Fuzzy Hash: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
Instruction Fuzzy Hash: C451B1B1E00604AFDB20DF69C881BDAB7F5AF54308F14056FD44597741E778EA84CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00424D44, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 173COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00424E4D
memcpy.MSVCRT ref: 00424E68

Strings

out of memory, xrefs: 00425E19
string or blob too big, xrefs: 00425229
statement aborts at %d: [%s] %s, xrefs: 0042525A

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
API String ID: 3510742995-3170954634
Opcode ID: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
Instruction ID: 0d7bce0817bf65c9dfa0535c92c7df176da35528cc665cc261d5cec065e4eab6
Opcode Fuzzy Hash: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
Instruction Fuzzy Hash: 4361C031A046259FDB14DFA4D480BAEBBF1FF48304F55849AE904AB392D738ED51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00413F5C, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00413F9F
memcpy.MSVCRT ref: 00413FB8
memset.MSVCRT ref: 00413FE6

Strings

winWrite1, xrefs: 004140AD
winWrite2, xrefs: 00414058

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: winWrite1$winWrite2
API String ID: 438689982-3457389245
Opcode ID: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
Instruction ID: 411cc920c71d47ae3c136763a4be7e00f30539a89a3c59ace8e577baf045dca9
Opcode Fuzzy Hash: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
Instruction Fuzzy Hash: F9417F72A00209EBDF00CF95CC41ADE7BB5FF48315F14452AF614A7280D778DAA5CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00413E34, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00413E77
memcpy.MSVCRT ref: 00413E92
memset.MSVCRT ref: 00413EB0
memset.MSVCRT ref: 00413F4A

Strings

winRead, xrefs: 00413F12

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: winRead
API String ID: 1297977491-2759563040
Opcode ID: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
Instruction ID: 3967e01906e40ec71704122980e40950556eef8199585a058b54f4718b0c424a
Opcode Fuzzy Hash: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
Instruction Fuzzy Hash: 46318B72A00309ABDF10DE69CC86ADE7B69AF84315F14446AF904A7241D734DAA48B99

Uniqueness

Uniqueness Score: -1.00%

Function 00407065, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000011), ref: 00407076
GetSystemMetrics.USER32(00000010), ref: 0040707C
73BBAC50.USER32(00000000,?,?,?,?,?,?,004012E4,?), ref: 0040708A
GetWindowRect.USER32(004012E4,?), ref: 004070BB
MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407100

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: MetricsSystemWindow$MoveRect
String ID:
API String ID: 514606546-0
Opcode ID: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
Instruction ID: 4d379cb21657894a0e11cf9a22620d5233689a1bec75a9944306807f4dd79964
Opcode Fuzzy Hash: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
Instruction Fuzzy Hash: 8F11B735E00619AFDF108FB8CC49BAF7F79EB45351F040135EE01E7291DA70A9048A91

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8C2, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB

memset.MSVCRT ref: 0040A8F8

Part of subcall function 0041096F: memcpy.MSVCRT ref: 004109DD

Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D

sprintf.MSVCRT ref: 0040A93D

Strings

<%s>%s</%s>, xrefs: 0040A935
<item>, xrefs: 0040A8CC
</item>, xrefs: 0040A957

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 3337535707-2769808009
Opcode ID: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
Instruction ID: b3463478cabe4832a9b1b799bbf2f925c18d395200ae258af25e9b21d14a16f2
Opcode Fuzzy Hash: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
Instruction Fuzzy Hash: 3611BF31600225BFEB11AF64CC42F957B64FF04318F10406AF509265A2DB7ABD70DB89

Uniqueness

Uniqueness Score: -1.00%

Function 0040717E, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040719D
sprintf.MSVCRT ref: 004071BE
_mbscat.MSVCRT ref: 004071D0
_mbscat.MSVCRT ref: 004071ED
_mbscat.MSVCRT ref: 004071FC

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscat$memsetsprintf
String ID:
API String ID: 125969286-0
Opcode ID: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
Instruction ID: 1eb43bd5b8120d09ab0b11fdee56c07fa856cfecb869048c22175c4298d2535e
Opcode Fuzzy Hash: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
Instruction Fuzzy Hash: EF014C32D0826436F72156159C03BBB77A89B85704F10407FFD44A92C1EEBCE984479A

Uniqueness

Uniqueness Score: -1.00%

Function 00408E21, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00408E33
GetWindowRect.USER32(?,?), ref: 00408E40
GetClientRect.USER32(00000000,?), ref: 00408E4B
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408E5B
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408E77

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
Instruction ID: d5d25afb3259b03ed1d628add5c616d0d22dc24c96253af88726d5856d44a725
Opcode Fuzzy Hash: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
Instruction Fuzzy Hash: 0E01653680052ABBDB11ABA59C49EFFBFBCFF06750F04402AFD05A2181D77895018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA94, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AAB7
memset.MSVCRT ref: 0040AACD

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB

Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D

sprintf.MSVCRT ref: 0040AB04

Strings

<%s>, xrefs: 0040AAFE
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AAD2

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3699762281-1998499579
Opcode ID: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
Instruction ID: a3dff73391336119dc4caae329f843e57b3ce466119e41e431a2bb454e721b3a
Opcode Fuzzy Hash: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
Instruction Fuzzy Hash: ED01F7729401296AEB20B655CC45FDA7A6CAF45305F0400BAB509B2182DBB49E548BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040979F, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004097AB
??3@YAXPAX@Z.MSVCRT ref: 004097B9
??3@YAXPAX@Z.MSVCRT ref: 004097CA
??3@YAXPAX@Z.MSVCRT ref: 004097E1
??3@YAXPAX@Z.MSVCRT ref: 004097EA

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 7a9d4f54567c0a48d1859bf8158ae1996b1b95a3d5575a953b4da3af230d69c1
Instruction ID: ea629a9aafeff6281071dae141f51b3a8c797cef86d835f03ce988520f4efe7f
Opcode Fuzzy Hash: 7a9d4f54567c0a48d1859bf8158ae1996b1b95a3d5575a953b4da3af230d69c1
Instruction Fuzzy Hash: 94F0FF73609B01DBD7209FA99AC065BF7E9AB48724BA4093FF149D3642C738BC54C618

Uniqueness

Uniqueness Score: -1.00%

Function 00409805, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA

??3@YAXPAX@Z.MSVCRT ref: 00409820
??3@YAXPAX@Z.MSVCRT ref: 00409833
??3@YAXPAX@Z.MSVCRT ref: 00409846
??3@YAXPAX@Z.MSVCRT ref: 00409859
??3@YAXPAX@Z.MSVCRT ref: 0040986D

Part of subcall function 004077E4: ??3@YAXPAX@Z.MSVCRT ref: 004077EB

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: d9c01388865c204718a59a81bbac89ec1da5725ce67048d786a5844de5934490
Instruction ID: 7a7d368fa20b86f0ae4ccc19201ff918d3b0396c1b4e5cf9e7c68f971a3fafa8
Opcode Fuzzy Hash: d9c01388865c204718a59a81bbac89ec1da5725ce67048d786a5844de5934490
Instruction Fuzzy Hash: 29F03633D1A930D7C6257B66500164EE3686E86B3931942AFF9047B7D28F3C7C5485DE

Uniqueness

Uniqueness Score: -1.00%

Function 004100EC, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00406EA5: memset.MSVCRT ref: 00406EC5
Part of subcall function 00406EA5: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406ED8
Part of subcall function 00406EA5: _strcmpi.MSVCRT ref: 00406EEA

SetBkMode.GDI32(?,00000001), ref: 00410113
GetSysColor.USER32(00000005), ref: 0041011B
SetBkColor.GDI32(?,00000000), ref: 00410125
SetTextColor.GDI32(?,00C00000), ref: 00410133
GetSysColorBrush.USER32(00000005), ref: 0041013B

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Color$BrushClassModeNameText_strcmpimemset
String ID:
API String ID: 2775283111-0
Opcode ID: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
Instruction ID: 15b5804eddbfc7b45e8a586a0394ac07707e7803bdc14c23b44bbc646b24dc1f
Opcode Fuzzy Hash: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
Instruction Fuzzy Hash: 7DF0F935100508BBDF116FA5DC09EDE3B25FF05711F10813AFA15585B1CBFAD9A09B58

Uniqueness

Uniqueness Score: -1.00%

Function 00405F2B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

BeginDeferWindowPos.USER32(0000000A), ref: 00405F44

Part of subcall function 004015F3: GetDlgItem.USER32(?,?), ref: 00401603
Part of subcall function 004015F3: GetClientRect.USER32(?,?), ref: 00401615
Part of subcall function 004015F3: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 0040167F

EndDeferWindowPos.USER32(?), ref: 00406003
InvalidateRect.USER32(?,?,00000001), ref: 0040600E

Strings

$, xrefs: 0040601A

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: 4f29eeeafaf0275d54e1a8ac864168a2c968bf72d4383311267dcf3585429308
Instruction ID: 00843a31076853278f863d8e49a3b1dedc6e53575b175ed212c8a3462f8966d2
Opcode Fuzzy Hash: 4f29eeeafaf0275d54e1a8ac864168a2c968bf72d4383311267dcf3585429308
Instruction Fuzzy Hash: 4D318F70640259BFEF229B52DC89D6F3A7CFBC5B88F10006DF401792A1CA794F51EA69

Uniqueness

Uniqueness Score: -1.00%

Function 004140D3, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414105

Strings

winSeekFile, xrefs: 0041415B
winTruncate2, xrefs: 004141AE
winTruncate1, xrefs: 00414175

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: winSeekFile$winTruncate1$winTruncate2
API String ID: 885266447-2471937615
Opcode ID: 2e15f3014d93f2bb9130e9841e4fb77219e446d9f82deb2689d2d98ee362e802
Instruction ID: 64d4eb81a265c1b05a2fdfc4674ac580571b80d59954343c28d6466173863d6d
Opcode Fuzzy Hash: 2e15f3014d93f2bb9130e9841e4fb77219e446d9f82deb2689d2d98ee362e802
Instruction Fuzzy Hash: 0331E1B1240700BFE7209F65CC49AA7B7E9FB94714F144A2EF951836C1E738EC948B69

Uniqueness

Uniqueness Score: -1.00%

Function 00406868, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1

GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,C@,004069F3,00000000,?,?,00000000), ref: 0040688C
CloseHandle.KERNEL32(?), ref: 004068B2

Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6

Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306

Strings

key3.db, xrefs: 0040686D
C@, xrefs: 00406868

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: File$??2@??3@CloseCreateHandleReadSize
String ID: C@$key3.db
API String ID: 1968906679-1993167907
Opcode ID: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
Instruction ID: 0ede60c3f523747ec885d841e26685764e9001b1461c3323211a21065397dc39
Opcode Fuzzy Hash: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
Instruction Fuzzy Hash: 9811D3B2D00514AFDB10AF19CC4588E7BA5EF46360B12807BF80AAB291DB34DD60CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407F93, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424

memset.MSVCRT ref: 00407FCE

Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 0040801C
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00408039

Strings

Software\Google\Google Desktop\Mailboxes, xrefs: 00407FA6

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Close$EnumOpenmemset
String ID: Software\Google\Google Desktop\Mailboxes
API String ID: 2255314230-2212045309
Opcode ID: cddc1c4639ed352c6b00522a74a8640079b1fef2a24954c474c6d8e722691f2e
Instruction ID: ef1d8a4e040050e039b627d4d2b4e2291b822c72ed16119247eb6dd3c2076bbf
Opcode Fuzzy Hash: cddc1c4639ed352c6b00522a74a8640079b1fef2a24954c474c6d8e722691f2e
Instruction Fuzzy Hash: 4A118F72408245BBD710EE51DC41EABBBACEBD0314F00083EBE9491191EB759A58D7A7

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF

CreateFontIndirectA.GDI32(?), ref: 0040101F
SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B

Strings

MS Sans Serif, xrefs: 0040100B

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
String ID: MS Sans Serif
API String ID: 3492281209-168460110
Opcode ID: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
Instruction ID: 91d7546927304a6081eb6d9f577e17eac68e9825403057b28fc40c6b5cfff950
Opcode Fuzzy Hash: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
Instruction Fuzzy Hash: 54F0A775A407047BEB3267A0EC47F4A7BACAB41B41F104535F651B51F2D6F4B544CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00406EA5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406EC5
GetClassNameA.USER32(?,00000000,000000FF), ref: 00406ED8
_strcmpi.MSVCRT ref: 00406EEA

Strings

edit, xrefs: 00406EE4

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ClassName_strcmpimemset
String ID: edit
API String ID: 275601554-2167791130
Opcode ID: ed2b804169d995c812202dfe57b894f8811318f38427dff4b8ba9102b7fae148
Instruction ID: 847e1e856ca93c5331a43762777f09d1dcd0b535ae5450603ebfd434222f9f24
Opcode Fuzzy Hash: ed2b804169d995c812202dfe57b894f8811318f38427dff4b8ba9102b7fae148
Instruction Fuzzy Hash: A3E09B73C5412E7AEB21B6A4DC01FE6776CEF55705F0000F7B945E10C1E5B45A888B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040732D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040732F
strlen.MSVCRT ref: 0040733A
_mbscat.MSVCRT ref: 00407351

Strings

8D, xrefs: 0040734A

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: strlen$_mbscat
String ID: 8D
API String ID: 3951308622-2703402624
Opcode ID: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
Instruction ID: fdb3abcae466a204d6f595596d606a7769775cd3d87c53e6d0f7ff6b17e0c5bf
Opcode Fuzzy Hash: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
Instruction Fuzzy Hash: F7D0A73390D62027F6153617BC07D8E5BD1CFD0779B18041FF908D2181DD3E8495909D

Uniqueness

Uniqueness Score: -1.00%

Function 00443131, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 0044313C
_mbscat.MSVCRT ref: 00443147
_mbscat.MSVCRT ref: 00443152

Strings

Password2, xrefs: 0044314C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscat$_mbscpy
String ID: Password2
API String ID: 2600922555-1856559283
Opcode ID: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
Instruction ID: 284e3ed20e01ed0f985c27cc48ee8d5f57cf04e2e68a318951e5723102309710
Opcode Fuzzy Hash: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
Instruction Fuzzy Hash: DFC0126164253032351132152C02ECE5D444D927A9744405BF64871152DE4C092141EE

Uniqueness

Uniqueness Score: -1.00%

Function 0041067E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1

Strings

shell32.dll, xrefs: 00410687
SHGetSpecialFolderPathA, xrefs: 0041069B

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathA$shell32.dll
API String ID: 2574300362-543337301
Opcode ID: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
Instruction ID: 89c53fa068d5e839e9f7b52beb2d5746c1b59f0700db89f23453b1bd6c0da6b7
Opcode Fuzzy Hash: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
Instruction Fuzzy Hash: 31D09EB8A00349EFDB00AF21EC0874639946785756B104436A04591267E6B88091CE5D

Uniqueness

Uniqueness Score: -1.00%

Function 00431CB5, Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 469COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00431CEC
memset.MSVCRT ref: 00431DA2
memset.MSVCRT ref: 00431F62

Strings

rows deleted, xrefs: 004321AB

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset
String ID: rows deleted
API String ID: 2221118986-571615504
Opcode ID: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
Instruction ID: 2c87624536f7d1d2c67b3f30ed48d8bcf82a012ac595ca9270874480dc5e5985
Opcode Fuzzy Hash: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
Instruction Fuzzy Hash: 47028F71E00218AFDF14DF99DD81AAEBBB5EF08314F14005AFA04A7352E775AD41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041B58C, Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041B59F
memcpy.MSVCRT ref: 0041B5B5
memcmp.MSVCRT ref: 0041B5C4
memcmp.MSVCRT ref: 0041B60C
memcpy.MSVCRT ref: 0041B627

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
Instruction ID: 3ed27bb9f02c74045d0acb38b61796dbe98832ce2e8f1163f6a46f85a071a1b4
Opcode Fuzzy Hash: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
Instruction Fuzzy Hash: C62181B2E106486BDB14DBA5D846EDF73ECEB94704F04082AB511D7241EB38E644C765

Uniqueness

Uniqueness Score: -1.00%

Function 00442878, Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00407142: memset.MSVCRT ref: 00407150

??2@YAPAXI@Z.MSVCRT ref: 0044288D
??2@YAPAXI@Z.MSVCRT ref: 004428AB
??2@YAPAXI@Z.MSVCRT ref: 004428C6
??2@YAPAXI@Z.MSVCRT ref: 004428EF
??2@YAPAXI@Z.MSVCRT ref: 00442913

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
Instruction ID: ce7ce7a56e3d2054f407bfc67449f4b5e2a26b1e03fcf19820fefdebefcb5e48
Opcode Fuzzy Hash: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
Instruction Fuzzy Hash: D3312BF4A007008FE7509F7A8945626FBE4FF84315F65886FE259CB2A2D7B9D440CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00404883, Relevance: 6.3, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004048BD
memset.MSVCRT ref: 004048D1
memset.MSVCRT ref: 004048E5
memcpy.MSVCRT ref: 004048F7
memcpy.MSVCRT ref: 00404909

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
Instruction ID: 580d5568a0ae36357fe55cd2f8a92ca16a000ad3cc3fb0fce8e347f768f52ea1
Opcode Fuzzy Hash: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
Instruction Fuzzy Hash: B02160B690115DABDF21EEA8CD40EDF7BADAF88304F0044AAB718E3052D2349F548B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFC5, Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040CFE4
memset.MSVCRT ref: 0040CFFA
memset.MSVCRT ref: 0040D00C
memcpy.MSVCRT ref: 0040D031
memset.MSVCRT ref: 0040D03B

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: c734dfea12c93efd70da344448ab0c1d4400440b23c7d083a28a0ad16e48a0bf
Instruction ID: 593c26daf5a8157ef64f6677eb97e14ee4fb597551c84e1e3d2c0423d94ab2b3
Opcode Fuzzy Hash: c734dfea12c93efd70da344448ab0c1d4400440b23c7d083a28a0ad16e48a0bf
Instruction Fuzzy Hash: DE01FCB5A40B0077E235AA35CC03F1A73A4AFD1718F000B1EF252666D2E7BCE509856D

Uniqueness

Uniqueness Score: -1.00%

Function 0041546A, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004154B0

Strings

+MA, xrefs: 00415471, 0041562F, 00415599, 00415567, 0041549D
psow, xrefs: 00415690
winOpen, xrefs: 004155DF

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset
String ID: +MA$psow$winOpen
API String ID: 2221118986-3077801942
Opcode ID: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
Instruction ID: 627c4099ad4ed317c867b58951a0fc316b0cffc8f2319acf44b2ebd0553f51b9
Opcode Fuzzy Hash: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
Instruction Fuzzy Hash: DE718D72D00605EBDF10DFA9DC426DEBBB2AF44314F14412BF915AB291D7788D908B98

Uniqueness

Uniqueness Score: -1.00%

Function 00424EAC, Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00424F52
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00424F87
__allrem.LIBCMT ref: 00425035
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042507D

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 560e0d92d15042a7d60853a487a4d693223dca75a8103b8e7d816dd0a212d02a
Instruction ID: db9e41318fbfcada45bb9adf36b3998ede89feacb8141746dd807fa43e705e13
Opcode Fuzzy Hash: 560e0d92d15042a7d60853a487a4d693223dca75a8103b8e7d816dd0a212d02a
Instruction Fuzzy Hash: 65618F71E006299FCF14CFA4ED40AAEBBB1FF84314F69415AE508AB391DB399D41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042BB86, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042BCE8

Strings

variable number must be between ?1 and ?%d, xrefs: 0042BC19
too many SQL variables, xrefs: 0042BD54

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset
String ID: too many SQL variables$variable number must be between ?1 and ?%d
API String ID: 2221118986-515162456
Opcode ID: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
Instruction ID: 0d9164a1fdbde5ca3cdd745d30cfe3dc8f536e44641e3c26b790e655cd3eaffd
Opcode Fuzzy Hash: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
Instruction Fuzzy Hash: 71519D31B00525EFEB19DF69D481BEAB7A0FF08304F90016BE815AB251DB79AD51CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 0042F55D, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 143COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042F6A9

Strings

, xrefs: 0042F5D4
CREATE TABLE , xrefs: 0042F616
, , xrefs: 0042F5DB

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE
API String ID: 3510742995-3459038510
Opcode ID: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
Instruction ID: 4a0871beed9f250e2dacaf6662beca46c80fe0be2f5bbb48e716de4f7c2f6e71
Opcode Fuzzy Hash: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
Instruction Fuzzy Hash: BE51B471E00129AFDF10DF94D4815AFB7F5EF45319FA0806BE401EB202E778DA898B99

Uniqueness

Uniqueness Score: -1.00%

Function 00402616, Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026D6
memset.MSVCRT ref: 0040269F

Part of subcall function 0041025A: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
Part of subcall function 0041025A: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
Part of subcall function 0041025A: memcpy.MSVCRT ref: 004102D6

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040278E
LocalFree.KERNEL32(?), ref: 00402798

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
String ID:
API String ID: 1593657333-0
Opcode ID: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
Instruction ID: a31c39db536bf59591fe237cfeb45fd52263bcc442a3b4586f9b541b98436b80
Opcode Fuzzy Hash: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
Instruction Fuzzy Hash: 0741C2B1408394AFEB21CF60CD85AAB77DCAB49304F04493FF588A21D1D6B9DA44CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5D8, Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C642
SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C686
GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C6A0
PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040C743

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Message$MenuPostSendStringmemset
String ID:
API String ID: 3798638045-0
Opcode ID: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
Instruction ID: caf6f60f32b19a677c26e4d16bf675fa64e013cae5d841084b333b07d52aaaaa
Opcode Fuzzy Hash: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
Instruction Fuzzy Hash: 6C41C131500216EBCB35CF24C8C5A96BBA4BF05321F1447B6E958AB2D2C7B99D91CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B340, Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00409B5A: ??2@YAPAXI@Z.MSVCRT ref: 00409B7B
Part of subcall function 00409B5A: ??3@YAXPAX@Z.MSVCRT ref: 00409C42

strlen.MSVCRT ref: 0040B366
atoi.MSVCRT ref: 0040B374
_mbsicmp.MSVCRT ref: 0040B3C7
_mbsicmp.MSVCRT ref: 0040B3DA

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbsicmp$??2@??3@atoistrlen
String ID:
API String ID: 4107816708-0
Opcode ID: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
Instruction ID: f56b49caca625ffb6a8305ca332e6707e3f7b6555e2304d22037ac8df505f121
Opcode Fuzzy Hash: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
Instruction Fuzzy Hash: CC412A75900204EBDB10DF69C581A9DBBF4FB48308F2185BAEC55AB397D738DA41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00410D1D, Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410D7C
_gmtime64.MSVCRT ref: 00410DA5
memcpy.MSVCRT ref: 00410DB9
strftime.MSVCRT ref: 00410DE4

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
String ID:
API String ID: 1886415126-0
Opcode ID: 42ebb8c1e295c4f998c750dd4381f5a90e4aefd148bac4d8b35948d96f151cd4
Instruction ID: e7bf39f2df778c647ef491fd25a44dd6e6c3fbccc626bed7fedf127605a46aa4
Opcode Fuzzy Hash: 42ebb8c1e295c4f998c750dd4381f5a90e4aefd148bac4d8b35948d96f151cd4
Instruction Fuzzy Hash: 8B21F3729003156BD310EF65D846B9BB7E8AF48324F044A1FFA98D7281DB78E9848BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00443946, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00443953

Strings

>, xrefs: 004439B4
>, xrefs: 0044398E
>, xrefs: 00443979

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: strlen
String ID: >$>$>
API String ID: 39653677-3911187716
Opcode ID: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
Instruction ID: c4e2884265c3a68fdd0446f239628287b972743a9c94721f5bed41ec85a51522
Opcode Fuzzy Hash: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
Instruction Fuzzy Hash: 2A313A5184D2C49EFB119F6880457EEFFB14F22706F1886DAC0D167383C2AC9B4AD75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF27, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040CF6A
memcpy.MSVCRT ref: 0040CF94
memcpy.MSVCRT ref: 0040CFB8

Strings

@, xrefs: 0040CFA6

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
Instruction ID: c67b832eded58a7fed5fb718e1005b1d96f95c91eedcc3159726feab918c483c
Opcode Fuzzy Hash: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
Instruction Fuzzy Hash: DB113BF2900705ABCB248F15CCC095A77A9EB94358B00073FFE06562D1E635DA5986DA

Uniqueness

Uniqueness Score: -1.00%

Function 004076FD, Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00407709
??3@YAXPAX@Z.MSVCRT ref: 00407729

Part of subcall function 00406CCE: malloc.MSVCRT ref: 00406CEA
Part of subcall function 00406CCE: memcpy.MSVCRT ref: 00406D02
Part of subcall function 00406CCE: ??3@YAXPAX@Z.MSVCRT ref: 00406D0B

??3@YAXPAX@Z.MSVCRT ref: 0040774C
memcpy.MSVCRT ref: 0040776C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??3@$memcpy$mallocstrlen
String ID:
API String ID: 1171893557-0
Opcode ID: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
Instruction ID: 5e9a081d75c64704428ce8041afbbeb9d52fcced2ab343c8e96fa08cc39daf7c
Opcode Fuzzy Hash: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
Instruction Fuzzy Hash: E411DF71200600DFD730EF18D981D9AB7F5EF443247108A2EF552A7692C736B919CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407D33, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00407D68
memset.MSVCRT ref: 00407D79
memcpy.MSVCRT ref: 00407D85
??3@YAXPAX@Z.MSVCRT ref: 00407D92

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 6af0d80cf1f9a4abb6ff5f9bc8d9616050e1b27e252b80ccf982e962f70df596
Instruction ID: e24a5276dafad98c161ef6ad34afde8f808320b1c4234a0015a7989cc473ef50
Opcode Fuzzy Hash: 6af0d80cf1f9a4abb6ff5f9bc8d9616050e1b27e252b80ccf982e962f70df596
Instruction Fuzzy Hash: 12118C71608601AFD328CF2DC881A27F7E9FFD8300B20892EE59A87395DA35E801CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00410880, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00410890
SHBrowseForFolder.SHELL32(?), ref: 004108C2
SHGetPathFromIDList.SHELL32(00000000,?), ref: 004108D6
_mbscpy.MSVCRT ref: 004108E9

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPath_mbscpy
String ID:
API String ID: 1479990042-0
Opcode ID: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
Instruction ID: 22dc721301a1029169844026e50c0f3522bcecfb2be71eae7d1720ca74c813ee
Opcode Fuzzy Hash: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
Instruction Fuzzy Hash: D311FAB5900208AFDB00DFA9D8849EEBBFCFB49314B10406AEA05E7201D774DA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040B65E, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F

sprintf.MSVCRT ref: 0040B684
SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7

Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0

sprintf.MSVCRT ref: 0040B6AE
_mbscat.MSVCRT ref: 0040B6C1

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
String ID:
API String ID: 203655857-0
Opcode ID: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
Instruction ID: c6c9d64871d24126578c2fffe8df42e6a01bd33b4583c5a66007e13a3507ac6b
Opcode Fuzzy Hash: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
Instruction Fuzzy Hash: CA018BB650030467EB21B775CC86FE773ACAB04304F04047BB656F51D3DA79E9848A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB21, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AB44
memset.MSVCRT ref: 0040AB5A

Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D

sprintf.MSVCRT ref: 0040AB84

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB

Strings

</%s>, xrefs: 0040AB7E

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
String ID: </%s>
API String ID: 3699762281-259020660
Opcode ID: aa9275fcc028cffcefa48dde5847177ad6754b943bb00a3c6bf4d2e50bcd3c7a
Instruction ID: 40662a85ba39df66ab9e9dfe1085b05053bd092a42c83a93ebfe6a452f4dfa53
Opcode Fuzzy Hash: aa9275fcc028cffcefa48dde5847177ad6754b943bb00a3c6bf4d2e50bcd3c7a
Instruction Fuzzy Hash: F501F9729001296BE720A659DC45FDA776CAF45304F0400FAB60DF3182DB749E548BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0044497B, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00444985
??3@YAXPAX@Z.MSVCRT ref: 00444995
??3@YAXPAX@Z.MSVCRT ref: 004449A5
??3@YAXPAX@Z.MSVCRT ref: 004449B5

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 6e69610b48158ddd1cace260c8b8c9f990ff9e3410e7d4f8ed62e5c6a57ef570
Instruction ID: 50686d444a9e23a331db2cec4592ac0caeb7afc27ca0d185df797a95cebddf31
Opcode Fuzzy Hash: 6e69610b48158ddd1cace260c8b8c9f990ff9e3410e7d4f8ed62e5c6a57ef570
Instruction Fuzzy Hash: 70E0E6A170470196BA24ABBFBD55B1723ECAA84B66314092FB508D72B2DF2CD864D52C

Uniqueness

Uniqueness Score: -1.00%

Function 00417F87, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 00417026: memcmp.MSVCRT ref: 004170E8

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418052
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041809C

Strings

recovered %d pages from %s, xrefs: 004181E0

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
String ID: recovered %d pages from %s
API String ID: 985450955-1623757624
Opcode ID: c4450c0102bf865a63ac163fe36e3a31a4afa75d4e4d7d6d0037f9da08a88eac
Instruction ID: 8cbc4ab102da2e195dd9e93f7cc9c8da370606533bae9fcdbaff4d8649daaf64
Opcode Fuzzy Hash: c4450c0102bf865a63ac163fe36e3a31a4afa75d4e4d7d6d0037f9da08a88eac
Instruction Fuzzy Hash: 7981A076900604AFDF21CB68C880AEFB7F5AF88314F15441EE95597341DB39A986CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004021F6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_ultoa.MSVCRT ref: 0040225B
sprintf.MSVCRT ref: 004022CF

Strings

%s %s %s, xrefs: 004022C9

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _ultoasprintf
String ID: %s %s %s
API String ID: 432394123-3850900253
Opcode ID: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
Instruction ID: 4eecb7ebe0e72788cc5a9ba801a24b7f953e3738518a64b6aa949e1543d7b5d3
Opcode Fuzzy Hash: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
Instruction Fuzzy Hash: AD41C431804A1987D538D5B4878DBEB62A8A702304F5504BFEC9AB32D1D7FCAE45866E

Uniqueness

Uniqueness Score: -1.00%

Function 004086A5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1

GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3

Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6

Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306

CloseHandle.KERNEL32(?,?), ref: 0040870D

Part of subcall function 0040767C: ??3@YAXPAX@Z.MSVCRT ref: 00407683

Strings

C@, xrefs: 004086A5

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: File$??3@$??2@CloseCreateHandleReadSize
String ID: C@
API String ID: 1449862175-3201871010
Opcode ID: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
Instruction ID: 7447114fd14c0d02a0ee842544e77a6286768af896f3cc7789f687588c6d710a
Opcode Fuzzy Hash: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
Instruction Fuzzy Hash: 88018871C04118AFDB00AF65DC45A8F7FB8DF05364F11C166F855B7191DB349A05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00409669, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409682
SendMessageA.USER32(5\@,00001019,00000000,?), ref: 004096B0

Strings

5\@, xrefs: 004096A6

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: MessageSendmemset
String ID: 5\@
API String ID: 568519121-3174280609
Opcode ID: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
Instruction ID: d98da3e135da4b1536afdd38015dbf476e5e9df788621b23f2aabad48e216af8
Opcode Fuzzy Hash: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
Instruction Fuzzy Hash: F901D679810204EBDB209F85C881EBBB7F8FF84745F10482AE840A6291D3359D95CB79

Uniqueness

Uniqueness Score: -1.00%

Function 00407211, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00407269

Strings

ini, xrefs: 00407254
L, xrefs: 00407235

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscpy
String ID: L$ini
API String ID: 714388716-4234614086
Opcode ID: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
Instruction ID: f535223de382355a817e33459d0294d4a206ca3c03f6505affaa6c17102478c3
Opcode Fuzzy Hash: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
Instruction Fuzzy Hash: CE01B2B1D10218AFDF40DFA9D845ADEBBF4BB08348F14812AE515E6240EBB895458F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0BE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409EE6: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00409EFC

SetFocus.USER32(?), ref: 0040C123

Part of subcall function 00401494: DialogBoxParamA.USER32(00000000,00000448,00405C86,004013DE,?), ref: 004014AD

Strings

8gD, xrefs: 0040C10F
u, xrefs: 0040C123

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: DialogFocusMessageParamSend
String ID: 8gD$u
API String ID: 2477553847-1469483753
Opcode ID: 12e12739810877d8bc3cc5258c769a72cfabe69dbd5a39a53838a09704ae6031
Instruction ID: ac66816ccf59acc72deac4cac7c3aef26e020736b1e1dc12fddaab764cb52836
Opcode Fuzzy Hash: 12e12739810877d8bc3cc5258c769a72cfabe69dbd5a39a53838a09704ae6031
Instruction Fuzzy Hash: 5AF049B1904609EFDB10DFA9C845ADEB7F8FF08308F00016AE555B72A1D779AA458B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041104F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00411058
_msize.MSVCRT ref: 0041106D

Strings

failed memory resize %u to %u bytes, xrefs: 00411074

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _msizerealloc
String ID: failed memory resize %u to %u bytes
API String ID: 2713192863-2134078882
Opcode ID: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
Instruction ID: 1811babadabc61a025a406b62bb89d9ddf1cf6d87da65dd644d5d85db6a8a765
Opcode Fuzzy Hash: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
Instruction Fuzzy Hash: 12D0C23290C2207EEA122644BC06A5BBB91DF90370F10C51FF618951A0DA3A8CA0638A

Uniqueness

Uniqueness Score: -1.00%

Function 00408DE1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000), ref: 00408DE9
sprintf.MSVCRT ref: 00408E0C

Part of subcall function 00408C8C: GetMenuItemCount.USER32(?), ref: 00408CA2
Part of subcall function 00408C8C: memset.MSVCRT ref: 00408CC6
Part of subcall function 00408C8C: GetMenuItemInfoA.USER32(?), ref: 00408CFC
Part of subcall function 00408C8C: memset.MSVCRT ref: 00408D29
Part of subcall function 00408C8C: strchr.MSVCRT ref: 00408D35
Part of subcall function 00408C8C: _mbscat.MSVCRT ref: 00408D90
Part of subcall function 00408C8C: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00408DAC

Strings

menu_%d, xrefs: 00408E02

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
String ID: menu_%d
API String ID: 1129539653-2417748251
Opcode ID: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
Instruction ID: fc9d5e34a24bd2be33db7f468ba420a1802cee0dbde2c18454a4e056650a0418
Opcode Fuzzy Hash: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
Instruction Fuzzy Hash: 96D0C23064174022FB3023266D0EF4B29595BC3B47F1400AEF400B10D2CBBC400486BE

Uniqueness

Uniqueness Score: -1.00%

Function 00409570, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D34: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409576,00000000,00409494,?,00000000,00000104), ref: 00406D3F

strrchr.MSVCRT ref: 00409579
_mbscat.MSVCRT ref: 0040958E

Strings

_lng.ini, xrefs: 00409588

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FileModuleName_mbscatstrrchr
String ID: _lng.ini
API String ID: 3334749609-1948609170
Opcode ID: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
Instruction ID: 2d2b68270352c45da0ce721119a0fec427a5e2ae0c2a4fc26ba4743072087242
Opcode Fuzzy Hash: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
Instruction Fuzzy Hash: 25C080521466A024F1173222AD03B4F05844F5370CF25005BFD01351C3EF9D453141FF

Uniqueness

Uniqueness Score: -1.00%

Function 00406E81, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00406E89

Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B

_mbscat.MSVCRT ref: 00406E98

Strings

sqlite3.dll, xrefs: 00406E81

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: _mbscat$_mbscpystrlen
String ID: sqlite3.dll
API String ID: 1983510840-1155512374
Opcode ID: 680d605fc7031f1bb097eb1115807af08001ddb79e65e6985d80c366fbe9924b
Instruction ID: b4f080e30331be102d7f345a143f57ec91a882a22c28ed8e87256c61ce2af050
Opcode Fuzzy Hash: 680d605fc7031f1bb097eb1115807af08001ddb79e65e6985d80c366fbe9924b
Instruction Fuzzy Hash: E3C0803240513125BB0177717C028AF7D48DF82394B01046EF58561111DD694D3255EB

Uniqueness

Uniqueness Score: -1.00%

Function 004033A2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(Server Details,?,0044551F,34@,0000007F,?), ref: 004033BA

Strings

Server Details, xrefs: 004033B5
34@, xrefs: 004033A8

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: PrivateProfileString
String ID: 34@$Server Details
API String ID: 1096422788-1041202369
Opcode ID: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
Instruction ID: 5dc36b059aaaf95d4d37dbe6dd28276a8f332030ee7f3b0879c7395586969e1a
Opcode Fuzzy Hash: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
Instruction Fuzzy Hash: FFC04C36948B01BBDE029F909D05F1EBE62BBA8B01F504519F285210AB82754524EB26

Uniqueness

Uniqueness Score: -1.00%

Function 0042BE74, Relevance: 5.2, APIs: 4, Instructions: 185COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042BF32
memcpy.MSVCRT ref: 0042BF68
memset.MSVCRT ref: 0042BF83
memcpy.MSVCRT ref: 0042BFBF

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
Instruction ID: 1cbfd9147006f86015284e0c7f96a5a033359537089e49602f9f07bbf2bf02d4
Opcode Fuzzy Hash: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
Instruction Fuzzy Hash: B761DE72604702AFDB20DF65E981A6BB7E4FF44304F44492EFA5982250D738ED54CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 004081FD, Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040820C
memset.MSVCRT ref: 00408244
memcpy.MSVCRT ref: 00408301
LocalFree.KERNEL32(00000000,?,?,?,?,75D6ED80,?,00000000), ref: 0040832C

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: FreeLocalmemcpymemsetstrlen
String ID:
API String ID: 3110682361-0
Opcode ID: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
Instruction ID: 82d09d3ec766172f421874171fbd662b4eebf604b8883e80537bb62e226e9057
Opcode Fuzzy Hash: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
Instruction Fuzzy Hash: 0631F832D0011D9BDF10DB64CD81BDEBBB8EF55314F1005BAE984B7281DA799E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00415B07, Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00415B30
memcpy.MSVCRT ref: 00415B54
memcpy.MSVCRT ref: 00415B7B
memcpy.MSVCRT ref: 00415BA1

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
Instruction ID: c59a560e0875e34eddc7238b356bca14a42e0d2f6379eea325777a24e0ec34d0
Opcode Fuzzy Hash: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
Instruction Fuzzy Hash: 2E11E6B7D00618ABDB01DFA4DC899DEB7ACEB49310F414836FA05CB140E634E2488799

Uniqueness

Uniqueness Score: -1.00%

Function 004096FB, Relevance: 5.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00407142: memset.MSVCRT ref: 00407150

??2@YAPAXI@Z.MSVCRT ref: 00409710
??2@YAPAXI@Z.MSVCRT ref: 00409739
??2@YAPAXI@Z.MSVCRT ref: 0040975A
??2@YAPAXI@Z.MSVCRT ref: 0040977B

Memory Dump Source

Source File: 00000018.00000002.308838122.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000018.00000002.308832286.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000018.00000002.308875675.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308881473.0000000000452000.00000040.00020000.sdmp Download File
Associated: 00000018.00000002.308889539.0000000000457000.00000080.00020000.sdmp Download File
Associated: 00000018.00000002.308898220.0000000000458000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_400000_B.jbxd

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
Instruction ID: 34b624653e935ab7e36b2538589d62cee4ebe89d27a66743b3a416ac641d4af2
Opcode Fuzzy Hash: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
Instruction Fuzzy Hash: 8321B3B5A65300CEE7559F6A9845915FBE4FF90310B2AC8BF9218DB2B2D7B8C8408B15

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report https://archive.org/download/MCOPY/MCOPY.tar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Function 053602A8, Relevance: 4.2, Strings: 3, Instructions: 481
COMMON

Function 014AB0B2, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 014AAB70, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 014AA504, Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 014AA9E2, Relevance: 1.6, APIs: 1, Instructions: 91
pipeCOMMON

Function 014AA120, Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Function 014AB0E2, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 014AAB96, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 014AA77C, Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 014AA85F, Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre